On Sun, 2015-05-10 at 00:57 +0300, Alon Bar-Lev wrote:
> Are you sure you want to introduce security issues resulting of
> resource leak into the child process? Example: pcsc-lite socket that
> is leaking or USB connection? In a way for the child process thus it
> being able to access the card?

Those should be opened with O_CLOEXEC anyway.

> I already fixed the OpenSC implementation at least twice in the past
> for this specific issue, and twice helped to fix the pcsc-lite issues,
> worked with p11-glue at least here[1], worked with aladdin to fix
> their product, also Siemens, Athena and others,  I guess another cycle
> is required.

Indeed :)

I posted a proof-of-concept patch for OpenSC¹ but it was more of a
demonstration of where the problem lies than a real fix. Partly because
it *does* still leak file descriptors, AFAICT.

> This fix should be in malformed providers, otherwise except of the
> above, you also damage the well behaved providers.

If an application *knows* that it will never use PKCS#11 after a fork(),
as in this case where we *know* that we're always just going to exec
something else, it certainly doesn't *damage* the well-behaved providers
if we simply refrain from making that C_Initialize() call that we *know*
to be gratuitous in the child.

-- 
dwmw2

¹ http://sourceforge.net/p/opensc/mailman/message/34086897/



Reply via email to