2013/1/9 Charles-François Natali <cf.nat...@gmail.com>: >> My question is: would you accept to break backward compatibility (in >> Python 3.4) to fix a potential security vulnerability? > > Although obvious, the security implications are not restricted to > sockets (yes, it's a contrived example): > ... > f = open("/tmp/passwd", 'w+') > if os.fork() == 0: > ...
Do you mean that we should provide a way to enable close-on-exec flag by default on all file descriptors? Adding an "e" flag to open() mode is not compatible with this requirement: we would need the opposite flag to disable explicitly close-on-exec. A better API is maybe to add a "cloexec" argument to open(), socket.socket(), pipe(), etc. It's easier to choose the default value of this argument: * False: backward compatible * True: backward incompatible * value retrieved from a global option, ex: sys.getdefaultcloexec() So a simple call to "sys.setdefaultcloexec(True)" would make your program make secure and less error-prone, globally, without having to break backward compatibility. Example without setting cloexec globally: f = open("/tmp/passwd", "w+", cloexec=True) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, cloexec=True) rfd, wfd = os.pipe(cloexec=True) -- "os.pipe(cloexec=True)" doesn't respect 1-to-1 "rule" of OS functions exposed in the Python module "os", because it it may use pipe2() with O_CLOEXEC internally, whereas os.pipe2() does exist... ... But other Python functions of the os module use a different C function depending on the option. Examples: - os.open() uses open(), or openat() if dir_fd is set. - os.utime() uses utimensat(), utime(), utimes(), futimens(), futimes(), futimesat(), ... Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com