Re: [Help-bash] Prevent file descriptor inheritance

[Eric Blake]

On 08/08/2018 01:40 AM, R. Diez wrote:
> Hi all:
>
> Is there any way to prevent file descriptor inheritance? I mean the 
> "close on exec" flag O_CLOEXEC or FD_CLOEXEC.
>
> I wonder about the security implications. If a shell script opens a 
> "secret" file, and runs an external command, that command will have 
> direct access to the file.

How did you open the "secret" file?  If you are managing the fd 
yourself, it's simply a matter of closing it yourself before starting 
any command where you don't want it leaked, such as:

exec 3< mysecret
command_allowed_to_use_it_via_stdin <&3
command_forbidden_to_use 3<-

Yeah, it's a bit of a pain that you can't specify O_CLOEXEC, but have to 
track things yourself. On the other hand, O_CLOEXEC was added because of 
multithreaded apps (where you absolutely need an atomic way to ensure an 
fd opened in your thread of control is not leaked by a fork()/exec() in 
a parallel thread of control).  But the shell is single-threaded, and 
therefore you don't have the risk of any other thread fork()ing (and 
thus leaking your fd) outside of your thread of control.  So you are 
always able to manually manipulate fds without worrying about the race 
that O_CLOEXEC was meant to solve.

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org