From: | David Steele <david(at)pgmasters(dot)net> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
Subject: | Re: File descriptors inherited by restore_command |
Date: | 2019-06-21 20:03:41 |
Message-ID: | bf7d4b9f-13f8-0ecf-3fd0-fef91263b459@pgmasters.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 6/21/19 10:26 AM, Stephen Frost wrote:
>>
>>> Another possible issue is that if we allow a child process to inherit
>>> all these fds it might accidentally write to them, which would be bad.
>>> I know the child process can go and maliciously open and trash files if
>>> it wants, but it doesn't seem like we should allow it to happen
>>> unintentionally.
>>
>> True. But I don't want to think of this as a security issue, because
>> then it becomes a security bug to forget O_CLOEXEC anywhere in the
>> backend, and that is a standard we cannot meet. (Even if we could
>> hold to it for the core code, stuff like libperl and libpython can't
>> be relied on to play ball.) In practice, as long as we use O_CLOEXEC
>> for files opened by fd.c, that would eliminate the actual too-many-fds
>> hazard. I don't object to desultorily looking around for other places
>> where we might want to add it, but personally I'd be satisfied with a
>> patch that CLOEXEC-ifies fd.c.
>
> Agreed, it's not a security issue, and also agreed that we should
> probably get it done with fd.c right off, and then if someone wants to
> think about other places where it might be good to do then more power to
> them and it seems like we'd be happy to accept such patches.
I agree this is not a security issue and I wasn't intending to present
it that way, but in general the more fds closed the better.
I'll work up a patch for fd.c which is the obvious win and we can work
from there if it makes sense. I'll be sure to test EXEC_BACKEND on
Linux but I don't think it will matter on Windows. cfbot may feel
differently, though.
Regards,
--
-David
david(at)pgmasters(dot)net
From | Date | Subject | |
---|---|---|---|
Next Message | Chapman Flack | 2019-06-21 20:16:19 | Re: allow_system_table_mods stuff |
Previous Message | Alvaro Herrera | 2019-06-21 20:03:14 | Re: Problem with default partition pruning |