My question is: would you accept to break backward compatibility (in Python 3.4) to fix a potential security vulnerability?
Although obvious, the security implications are not restricted to sockets (yes, it's a contrived example): """ # cat test_inherit.py import fcntl import os import pwd import sys f = open("/tmp/passwd", 'w+') #fcntl.fcntl(f.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC) if os.fork() == 0: os.setuid(pwd.getpwnam('nobody').pw_uid) os.execv(sys.executable, ['python', '-c', 'import os; os.write(3, "owned")']) else: os.waitpid(-1, 0) f.seek(0) print(f.read()) f.close() # python test_inherit.py owned """
I'm not sure that close-on-exec flag must be set on the listening socket *and* on the client sockets. What do you think?
In the listening socket is inherited, it can lead to EADDRINUSE, or the child process "hijacking" new connections (by accept()ing on the same socket). As for the client sockets, there's at least one reason to set them close-on-exec: if a second forked process inherits the first process' client socket, even when the first client closes its file descriptor (and exits), the socket won't be closed until the the second process exits too: so one long-running child process can delay other child processes connection shutdown for arbitrarily long.