[Savonet-devl] [dev.sourcefabric.org] Commented: (LS-512) External processes inherit opened file descriptor, including opened sockets.

[Romain Beauxis (JIRA)]

    [ 
http://dev.sourcefabric.org/browse/LS-512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344#action_16344
 ] 

Romain Beauxis commented on LS-512:
-----------------------------------

It was reported in a private bug report as I though it could have security 
implications (oscigen uses this mechanism for its CGI code for instance..)
I have to say that I am a bit disapointed with the way they handle this..

> External processes inherit opened file descriptor, including opened sockets.
> ----------------------------------------------------------------------------
>
>                 Key: LS-512
>                 URL: http://dev.sourcefabric.org/browse/LS-512
>             Project: Liquidsoap
>          Issue Type: Bug
>          Components: Liquidsoap
>            Reporter: Romain Beauxis
>            Priority: Critical
>             Fix For: 1.0
>
>
> When liquidsoap spawns a new process using Ocaml's open_process* functions, 
> the new process is created using fork() and therefore inherits all opened 
> file descriptors from liquidsoap.
> This leads to many different type of issues, among which:
>  * If liquidsoap stops before an external process, any port opened by 
> liquidsoap remains open until all external processes have terminated
>  * All external processes have access to the file/sockets opened by 
> liquidsoap, in particular they may read a file whose content is supposed to 
> be protected (password) or listen to network traffic (source password for 
> instance)
> The problem is not easy. There are several possibilities:
>  * Define our own implementation of Unix.open_process*
>  * Use some shell trickery to close the descriptors before invoking the new 
> process. Something like:
>   "/bin/ls /dev/fd/ | while read i; do if test "$i" -ge "3"; then exec 
> "$i<&-" 2>/dev/null; fi done; my_process
>  * Convince OCaml's maintainer to apply some patch and wait for a new release 
> of OCaml...

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://dev.sourcefabric.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Savonet-devl mailing list
Savonet-devl@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/savonet-devl