Re: [PATCH 02/17] mark newly opened fds as FD_CLOEXEC (close on exec)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Redhat still has not given a reason as to why this is needed.

I believe:
  a) the fact CLOEXEC isn't the default on new fd's is a (UNIX/POSIX)
API bug (which of course can't be fixed...)
  b) not setting CLOEXEC on every fd is an application bug (with the
exception of the specific few fd's you actually want inherited)
  c) iptables does occasionally fork/exec (to load modules), for
example "/sbin/modprobe ip6_tables -q", but also for match/target
revision compatibility checking, and when it does this it can call
modprobe with additional opened descriptors (for example sockfd inside
of compatible_revision isn't closed before fork/exec modprobe) - this
is unclean, and could potentially cause security warnings (or even
issues?) since iptables and modprobe have different contexts.

[fc14]# ls -alZ `which iptables`
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/iptables
-> iptables-multi
[fc14]# ls -alZ /sbin/iptables-multi
-rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi
[fc14]#  ls -alZ `which modprobe`
-rwxr-xr-x. root root system_u:object_r:insmod_exec_t:s0 /sbin/modprobe

I'm not going to claim I fully understand the security implications of
leaving the file descriptor open across exec, but there is clearly no
reason to do so, hence the patch.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux