Skip to content

[3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) #98504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 28, 2022
Merged

[3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) #98504

merged 1 commit into from
Oct 28, 2022

Conversation

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Oct 20, 2022
edited by bedevere-bot
Loading

Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.

This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
#18866 while fixing
#84031.

Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f6106)

Co-authored-by: Gregory P. Smith greg@krypto.org

@gpshead @miss-islington
pythongh-97514: Don't use Linux abstract sockets for multiprocessing (p…
85178d5 
…ythonGH-98501)

Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.

This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
python#18866 while fixing
python#84031.

Explicit use of an abstract socket by a user now generates a
RuntimeWarning.  If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f6106)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
@miss-islington
Copy link
Contributor Author

miss-islington commented Oct 20, 2022

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information..

@miss-islington
Copy link
Contributor Author

miss-islington commented Oct 20, 2022

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information..

1 similar comment
@miss-islington
Copy link
Contributor Author

miss-islington commented Oct 20, 2022

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information..

@gpshead gpshead added the 3.9 (EOL) end of life label Oct 20, 2022
@miss-islington
Copy link
Contributor Author

miss-islington commented Oct 20, 2022

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information..

@gpshead gpshead mentioned this pull request Oct 20, 2022
Merged
@ambv ambv merged commit b43496c into python:3.9 Oct 28, 2022
@miss-islington miss-islington deleted the backport-49f6106-3.9 branch October 28, 2022 10:08
@gpshead gpshead mentioned this pull request Nov 10, 2022
Closed
4 tasks
@tshu-w tshu-w mentioned this pull request Nov 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpshead gpshead gpshead approved these changes

Assignees

@ambv ambv

Labels

3.9 (EOL) end of life release-blocker type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@miss-islington @gpshead @ambv @bedevere-bot