On Fri, Jan 11, 2013 at 5:30 PM, Charles-François Natali <span dir="ltr">&lt;<a href="mailto:cf.natali@gmail.com" target="_blank">cf.natali@gmail.com</a>&gt;</span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">&gt; That could always be overcome by passing close_fds=False explicitly to<br>
&gt; subprocess from my code, though, right? I&#39;m not doing that now, but then I&#39;m not<br>
&gt; using the esoteric options in python-gnupg code, either.<br>
<br>
</div>You could do that, or better explicitly support this option, and only<br>
specify this file descriptor in subprocess.Popen keep_fds argument.<br>
<div class="im"><br>
&gt; My point was that the GnuPG usage looked like an example where fds other than<br>
&gt; 0, 1 and 2 might be used by design in not-uncommonly-used programs. From a<br>
&gt; discussion I had with Barry Warsaw a while ago, I seem to remember that there<br>
&gt; was other software which relied on these features. See [1] for details.<br>
<br>
</div>Yes, it might be used. But I maintain that it should be really rare,<br>
and even if it&#39;s not, since the &quot;official&quot; way to launch subprocesses<br>
is through the subprocess module, FDs &gt; 2 are already closed by<br>
default since Python 3.2. And the failure will be immediate and<br>
obvious (EBADF).<br></blockquote><div><br>I suppose I should chime in. I think the pattern of &quot;open some file descriptors, fork,<br>exec&quot; and pass the file descriptors to a child process it a very useful thing, and certainly<br>
something I use in my code. Although to be honest, it is usually a C program doing<br>it.<br><br>I do this for two reason:<br><br>1) I can have a relatively small program that runs at a rather high privilege level (e.g: root),<br>
which acquires protected resources (e.g: binds to port 80, opens some key files that only<br>a restricted user has access to), and then drops privileges, forks (or just execs) and passes<br>those resources to a larger, less trusted program.<br>
<br>2) I have a monitoring program that opens a socket, and then passes the socket to a child<br>process (via fork, exec). If that program crashes for some reason, the monitoring program<br>can respawn a new child and pass it the exact same socket.<br>
<br>Now I&#39;m not saying these are necessarily common use cases, but I think changing the default<br>behaviour of file-descriptors to be close on exec would violate principle of least surprise for<br>anyone familiar with and expecting UNIX semantics. If you are using fork/exec directly then<br>
I think you want these semantics. That being said, I have no problem with subprocess <br>closing file-descriptors before exec()-ing as I don&#39;t think a developer would necessarily<br>expect the UNIX semantics on that interface.<br>
<br>Python is not UNIX, but I think if you are directly using the POSIX interfaces they should<br>work (more or less) the same way the would if you were writing a C program. (Some of us<br>still use Python to prototype things that will later be converted to C!).<br>
<br>Cheers,<br><br>Benno<br></div></div>