-
-
Notifications
You must be signed in to change notification settings - Fork 29.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gh-97514: Authenticate the forkserver control socket. #99309
Open
gpshead
wants to merge
8
commits into
python:main
Choose a base branch
from
gpshead:security/multiprocessing-forkserver-authkey
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
gh-97514: Authenticate the forkserver control socket. #99309
gpshead
wants to merge
8
commits into
python:main
from
gpshead:security/multiprocessing-forkserver-authkey
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds authentication. In the past only filesystem permissions protected this socket from code injection into the forkserver process by limiting access to the same UID, which didn't exist when Linux abstract namespace sockets were used (see issue) meaning that any process in the same system network namespace could inject code. This reuses the hmac based shared key auth already used on multiprocessing sockets used for other purposes. Doing this is useful so that filesystem permissions are not relied upon and trust isn't implied by default between all processes running as the same UID.
gpshead
added
type-feature
A feature request or enhancement
3.12
bugs and security fixes
topic-multiprocessing
labels
Nov 10, 2022
4 tasks
gpshead
changed the title
gh-97514: Authenticate the forkserver control socket.
gh-97514: [3.12+] Authenticate the forkserver control socket.
Nov 10, 2022
gpshead
added
the
🔨 test-with-buildbots
Test PR w/ buildbots; report in status section
label
Nov 11, 2022
bedevere-bot
removed
the
🔨 test-with-buildbots
Test PR w/ buildbots; report in status section
label
Nov 11, 2022
from the buildbots... tests leak some file descriptors. not too surprising given the bit of code the test pokes into, i'll see what can be done to manage those. |
I can't add new testcases to test_multiprocessing_forkserver itself, i had to put them within an existing _test_multiprocessing test class. I don't know why, but refleaks are fragile and that test suite is... rediculiously complicated with all that it does.
I'm not sure _why_ the hang happened, the forkserver process wasn't exiting when the alive_w fd was closed in the parent during tearDownModule(), instead it remained in its selector() loop. regardless the part of the test this removes fixes it and it only happened on macOS.
gpshead
added
the
🔨 test-with-buildbots
Test PR w/ buildbots; report in status section
label
Nov 13, 2022
bedevere-bot
removed
the
🔨 test-with-buildbots
Test PR w/ buildbots; report in status section
label
Nov 13, 2022
gpshead
added
3.13
bugs and security fixes
and removed
3.12
bugs and security fixes
labels
Jun 21, 2023
gpshead
changed the title
gh-97514: [3.12+] Authenticate the forkserver control socket.
gh-97514: Authenticate the forkserver control socket.
Jun 21, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3.13
bugs and security fixes
awaiting core review
topic-multiprocessing
type-feature
A feature request or enhancement
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds authentication. In the past only filesystem permissions protected this socket from code injection into the forkserver process by limiting access to the same UID, which didn't exist when Linux abstract namespace sockets were used (see issue) meaning that any process in the same system network namespace could inject code.
This reuses the hmac based shared key auth already used on multiprocessing sockets used for other purposes.
Doing this is useful so that filesystem permissions are not relied upon and trust isn't implied by default between all processes running as the same UID with access to the unix socket.
Tasks remaining