On Sat, 9 Jun 2007, Al Viro wrote:
>
> How the hell can it be racy wrt normal open()? F_DUPFD is not dup2(),
> it's non-overriding.
Al, you probably didn't read this thread from the beginning (not in this
particular email thread - an earlier one on the whole feature).
The problem is that a thread wants to open a FD_CLOEXEC file descriptor,
because it is doing something that is thread-local. So it does
fd = some.op.that.returns.an.fd.like.socket();
fcntl(fd, F_SETFD, &FD_CLOEXEC);
but *another* thread does an execve() at the same time, and the fcntl()
never gets to happen!
Which is why you'd like to do the *initial* operation with a flag that
says "please set the FD_CLOEXEC flag on the file descriptor", so that you
*atomically* install the file file descriptor and set the FD_CLOEXEC bit.
It's trivial to do for open(), but there are about a million ways to get a
file descriptor, and open() is just about the *only* one of those that
actually takes a "flags" field that can be used to tell the kernel.
So ignore the fdmapping for now: that's just an extended thing. The
problem is _independent_ of the fdmapping, but it turns out that a lot of
these problems are intertwined, in that you actually want *other* flags
than just "FD_CLOEXEC". For example, one of the flags would be "private fd
space" (which is where fdmap comes in), so that a library can allocate its
own internal file descriptors *without* impacting the caller that depends
on its own file descriptor allocation.
(And dammit, that _is_ a *real*issue*. No races necessary, no NR_OPEN
iterations, no even *halfway* suspect code. It's perfectly fine to do
close(0);
close(1);
close(2);
.. generate filenames, whatever ..
if (open(..) < 0 || open(..) < 0 || open(..) < 0)
die("Couldn't redirect stdin/stdout/stderr");
and there's absolutely nothing wrong with this kind of setup, even if you
could obviously have done it other ways too (ie by using "dup2()" instead
of "close + open"),
And that means that libraries currently MUST NOT open their own file
descriptors, exactly because they mess with the "application file
descriptor namespace", namely the linear POSIX-defined fd allocation
rules!
And no, "dup2(fd, SOME_BIG_FD)" is *not* the answer, exactly because we
end up sucking like mad if you actually were to do it!
So I think both the FD_CLOEXEC _and_ the "private fd space" are real
issues. I don't agree with the "random fd" approach. I'd much rather have
a non-random setup for the nonlinear ones (it just shouldn't be linear).
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
