Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 8 Feb 2020 11:19:08 -0500
From: Rich Felker <>
Subject: Re: fopen with "e" mode to close file descriptor in exec...

On Sat, Feb 08, 2020 at 10:45:10AM +0300, Alexander Scherbatiy wrote:
> Below are steps to reproduce it in docker, logs from docker and strace log.
> > docker run --rm -it alpine:3.11.3 ash
> > apk add gcc
> > apk add libc-dev
> Copy the posix_spawn_sample.c code below (note it uses "ash" in 'char
> *argv[] = {"ash", ,,,}' for posix_spawn on Alpine Linux )
> > gcc -o posix_spawn_sample posix_spawn_sample.c
> > ./posix_spawn_sample
> --- output ---
> / # ./posix_spawn_sample
> Child pid: 17
> PID=17
> 1 /bin/busybox /dev/pts/0
> 1 /bin/busybox /dev/pts/0
> 1 /bin/busybox /dev/pts/0
> 1 /bin/busybox /dev/tty
> 16 /posix_spawn_sample /dev/pts/0
> 16 /posix_spawn_sample /dev/pts/0
> 16 /posix_spawn_sample /dev/pts/0
> 16 /posix_spawn_sample /test.log
> ----------------
> Note that "test.log" file is listed by "lsof -p PID" command.

It's listed as being owned by pid 16, the parent, not pid 17, the
child. That's expected. At first I didn't understand why lsof -p is
showing these additional pids (parent and init) in addition to the
requested one. But it seems since you're using Docker those are the
*only* pids running, and you just hit the issue that busybox lsof does
not support -p (or any options at all) and always lists all open files
for all processes.

It would be a lot better to have your test do like I suggested and ls
-l /proc/$$/fd rather than running lsof. Then you will very clearly
that the log file is not open. Or even run an interactive shell as the
child so you can explore /proc yourself from it.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.