File descripters should be non-inheritable by default. #6602
Labels
Comments
|
This may be hard to accomplish, because system.nim uses fopen, which doesn't have portable CLOEXEC support (there is "e" mode, but it's only available in glibc) |
alaviss
added a commit
to alaviss/Nim
that referenced
this issue
Jan 20, 2020
This prevents file descriptors/handles leakage to child processes that might cause issues like running out of file descriptors, or potential security issues like leaking a file descriptor to a restricted file. While this breaks backward compatibility, I'm rather certain that not many programs (if any) actually make use of this implementation detail. A new API `setInheritable` is provided for the few that actually want to use this functionality. Ref nim-lang#6602
alaviss
added a commit
to alaviss/Nim
that referenced
this issue
Jan 20, 2020
This prevents file descriptors/handles leakage to child processes that might cause issues like running out of file descriptors, or potential security issues like leaking a file descriptor to a restricted file. While this breaks backward compatibility, I'm rather certain that not many programs (if any) actually make use of this implementation detail. A new API `setInheritable` is provided for the few that actually want to use this functionality. Ref nim-lang#6602
alaviss
added a commit
to alaviss/Nim
that referenced
this issue
Jan 20, 2020
This prevents file descriptors/handles leakage to child processes that might cause issues like running out of file descriptors, or potential security issues like leaking a file descriptor to a restricted file. While this breaks backward compatibility, I'm rather certain that not many programs (if any) actually make use of this implementation detail. A new API `setInheritable` is provided for the few that actually want to use this functionality. Ref nim-lang#6602
alaviss
added a commit
to alaviss/Nim
that referenced
this issue
Jan 20, 2020
This prevents file descriptors/handles leakage to child processes that might cause issues like running out of file descriptors, or potential security issues like leaking a file descriptor to a restricted file. While this breaks backward compatibility, I'm rather certain that not many programs (if any) actually make use of this implementation detail. A new API `setInheritable` is provided for the few that actually want to use this functionality. Ref nim-lang#6602
alaviss
added a commit
to alaviss/Nim
that referenced
this issue
Jan 20, 2020
This prevents file descriptors/handles leakage to child processes that might cause issues like running out of file descriptors, or potential security issues like leaking a file descriptor to a restricted file. While this breaks backward compatibility, I'm rather certain that not many programs (if any) actually make use of this implementation detail. A new API `setInheritable` is provided for the few that actually want to use this functionality. Ref nim-lang#6602
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have encountered a problem when i am making a "process supervisor".
When the supervisor quit, each child process keep running and keep the
fds interited from supervisor opening. Thefds are leaked. Especially, there is no way to manually set the underlying fd of asynchttpserver as FD_CLOEXEC.I think the file descripters should be non-inheritable by default.
Python from 3.4 (and many other languages) make file descripters non-inheritable by default.
See: https://www.python.org/dev/peps/pep-0446/
My original issue is here: dom96/jester#125
The text was updated successfully, but these errors were encountered: