[Python-Dev] Proposal for a new function "open_noinherit" to avoid problems with subprocesses and security risks
A.M. Kuchling
amk at amk.ca
Sat Jun 23 20:36:45 CEST 2007
On Sat, Jun 23, 2007 at 08:39:38AM -0700, Stephen Hansen wrote:
> I just wanted to express to the group at large that these experiences aren't
> just Henning's; we spent a *tremendous* amount of time and effort debugging
> serious problems that arose from file handles getting shared to subprocesses
> where it wasn't really expected.
I've also encountered this when writing programs that are SCGI servers
that do a fork. SCGI is like FastCGI; the HTTP server passes requests
to a local server using a custom protocol. If the fork doesn't close
the SCGI server port, then Apache does nothing until the forked
subprocess exits, because the subprocess is keeping the request socket
open and alive.
One fix is to always use subprocess.Popen and specify that
close_fd=True, which wasn't difficult for me, but I can imagine that
an easy way to set close-on-exec would be simpler in other cases.
--amk
More information about the Python-Dev
mailing list