Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <em79f16f1a-883c-4e4d-b11e-ad40edd723d1@02a1aab3.com>
Date: Sat, 13 Sep 2025 08:43:39 +0000
From: "Laurent Bercot" <ska-dietlibc@...rnet.org>
To: musl@...ts.openwall.com
Subject: Re: closefrom and close_range wrappers

>Would it make sense for musl to provide close_range and
>closefrom?  The main uses of them are to close unwanted
>FDs after a fork and before exec.  close_range() can also
>be used to mark them close-on-exec instead.

  Using these functions is always a programming error. Programs
should never (with very few exceptions, and the use case [generic-]you
are thinking about is probably not one of them, and yes, lots of
shells are broken in that aspect) close file descriptors they do
not own.

  It is an entirely valid programming practice for a parent to leak a
descriptor into an unknowing child, for various reasons, one of which
(the most obvious, but not the only one) being detection of said
child's death by an unrelated process. Closing unknown fds prevents
this and breaks existing, valid setups.


>The main advantage of closefrom() is that it is portable
>to more systems.  Closing file descriptors one doesn't own
>is not an issue because the code that does own these FDs
>will never get a chance to run.

  That is very much an issue. The code that does own these fds is
likely not in the same process, and is running.


>Yes, this is all a consequence of fork()/exec() being an
>extremely poor API, but I don't know of a better solution.

  Every piece of code that opens a descriptor should track it, just
like any other resource. If the code wants to leave the cleanup to
the kernel, that's what O_CLOEXEC is for. None of this is new.


>There are third-party libraries (including glib and wlroots)
>that expect one to either use an API like this or emulate it
>by scanning /proc/self/fd (yuck).  Yes, these libraries should
>be atomically setting O_CLOEXEC, but their authors disagree
>and maintaining downstream forks is not practical.

  I unfortunately have no argument to convince people knowingly doing
the wrong thing and unwilling to change. What were glib and wlroots
doing before close_range() was a thing?

--
  Laurent

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.