>> I agree with the general principle that if we open it, we track it, and >> then close it so it doesn't reach the child, typically with O_CLOEXEC or >> FD_CLOEXEC. ... > >to that end, i propose that we treat any open descriptor N>2 at the time >of an exec() to be a bug, which is to be fixed by setting O_CLOEXEC at >time of creation.
+1. There are a few sneaky spots where we have to be careful; sometimes a file is opened and then expected to be used as stdin for a child process; there is also the unusual case of the -idanno flag, and it wouldn't surprise me if there was another use of a file descriptor passed down to a child process that I didn't know about. I realize that dup2() clears the FD_CLOEXEC flag on the new file descriptor so the "normal" case of an opened file being dup2() down to 0 would work correctly, but the wrinkle is that it does NOT if the old and new file descriptor are the same. That is admittedly unlikely, but it could happen in a few cases so I'd like to be as robust as possible. It seems like the right way forward, given that nowadays there are a lot of spots where we could fork another process off, is that every descriptor we open should have FD_CLOEXEC set (I added that to the networking code). Considering we haven't done that in the past for a lot of cases it doesn't seem like there's a lot of urgency, but we'll file this under "ongoing cleanup" --Ken -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers
