Re: [PATCH] Introduce O_CLOEXEC (take >2)

---

• From: Davide Libenzi <davidel@xxxxxxxxxxxxxxx>
• Date: Thu, 31 May 2007 11:35:07 -0700 (PDT)

---

On Thu, 31 May 2007, Ulrich Drepper wrote:

I've brought this topic up before but didn't provide a patch. Well, here
we go again, this time with a patch. I even throw in a test program.

The problem is as follows: in multi-threaded code (or more correctly: all
code using clone() with CLONE_FILES) we have a race when exec'ing.

thread #1 thread #2

fd=open()

fork + exec

fcntl(fd,F_SETFD,FD_CLOEXEC)

In some applications this can happen frequently. Take a web browser. One
thread opens a file and another thread starts, say, an external PDF viewer.
The result can even be a security issue if that open file descriptor refers
to a sensitive file and the external program can somehow be tricked into
using that descriptor.

Just adding O_CLOEXEC support to open() doesn't solve the whole set of
problems. There are other ways to create file descriptors (socket,
epoll_create, Unix domain socket transfer, etc). These can and should
be addressed separately though. open() is such an easy case that it makes
not much sense putting the fix off.

Isn't this better be a global process flag? Default should be, for legacy
reasons, !FD_CLOEXEC. But then you can call a sys_task_set_fflags(FD_CLOEXEC)
and all newly created files get that behavior by default. Then, in case
you want some of them to cross the exec boundary, you explicitly
fcntl(fd, F_SETFD, !FD_CLOEXEC).
Most the MT+exec apps I write, would like FD_CLOEXEC for everything anyway.



- Davide


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [PATCH] Introduce O_CLOEXEC (take >2)
    • From: Ulrich Drepper

• References:
  • [PATCH] Introduce O_CLOEXEC (take >2)
    • From: Ulrich Drepper

• Prev by Date: Re: + loop-preallocate-eight-loop-devices.patch added to -mm tree
• Next by Date: Re: [dm-devel] Re: [RFD] BIO_RW_BARRIER - what it means for devices, filesystems, and dm/md.
• Previous by thread: Re: [PATCH] Introduce O_CLOEXEC (take >2)
• Next by thread: Re: [PATCH] Introduce O_CLOEXEC (take >2)
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [PATCH] Introduce O_CLOEXEC (take >2) ... I even throw in a test program. ... The problem is as follows: in multi-threaded code (or more correctly: all ... thread opens a file and another thread starts, say, an external PDF viewer. ... The result can even be a security issue if that open file descriptor refers ... (Linux-Kernel) open() and fopen() limitations ... Solaris has the following limitations on openand fopen, ... of opens they can perform, but fopenhas a harsh stdio library ... open as many files as the current soft limit allows. ... The file descriptor number ... (comp.unix.aix) O_CLOEXEC / MSG_CMSG_CLOEXEC documentation ... Enable the close-on-exec flag for the new file ... This is useful in multithreaded programs ... Set the close-on-exec flag for the file descriptor ... thread opens a file and another thread starts, say, an external PDF viewer. ... (Linux-Kernel) Re: /bin/su closes open file descriptors ? ... CB> It seems that an AIX open file descriptor is not preserved across /bin/su. ... CB> I have a program that opens a file, ... NetNews Guidelines ... (comp.unix.aix) Error CO_E_DLLNOTFOUND ... I searched on the internet and found that in most of the cases, this error was coming in SQL DLL loading problems. ... closes the DB after x minutes of inactivity and then opens as the need arises. ... I created a test program to frequently close and open the DB. ... (microsoft.public.sqlserver.ce)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Mailing-Lists  > Kernel  > 2007-05