Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) #98504

Merged
merged 1 commit into from Oct 28, 2022
Merged

[3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) #98504

merged 1 commit into from Oct 28, 2022

Conversation

miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Oct 20, 2022
edited by bedevere-bot

Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.

This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
#18866 while fixing
#84031.

Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f6106)

Co-authored-by: Gregory P. Smith greg@krypto.org

@gpshead @miss-islington
pythongh-97514: Don't use Linux abstract sockets for multiprocessing (p…
85178d5 
…ythonGH-98501)

Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.

This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
python#18866 while fixing
python#84031.

Explicit use of an abstract socket by a user now generates a
RuntimeWarning.  If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f6106)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
@miss-islington
Copy link
Contributor Author

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information..

@miss-islington
Copy link
Contributor Author

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information..

1 similar comment
@miss-islington
Copy link
Contributor Author

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information..

@gpshead gpshead added the 3.9 only security fixes label Oct 20, 2022
@miss-islington
Copy link
Contributor Author

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information..

@gpshead gpshead mentioned this pull request Oct 20, 2022
Merged
@ambv ambv merged commit b43496c into python:3.9 Oct 28, 2022
@miss-islington miss-islington deleted the backport-49f6106-3.9 branch October 28, 2022 10:08
@gpshead gpshead mentioned this pull request Nov 10, 2022
Closed
4 tasks
@tshu-w tshu-w mentioned this pull request Nov 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

Assignees

@ambv ambv

Labels
3.9 only security fixes release-blocker type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@miss-islington @gpshead @ambv @bedevere-bot