On Sun, 2015-05-10 at 00:57 +0300, Alon Bar-Lev wrote: > Are you sure you want to introduce security issues resulting of > resource leak into the child process? Example: pcsc-lite socket that > is leaking or USB connection? In a way for the child process thus it > being able to access the card?
Those should be opened with O_CLOEXEC anyway. > I already fixed the OpenSC implementation at least twice in the past > for this specific issue, and twice helped to fix the pcsc-lite issues, > worked with p11-glue at least here[1], worked with aladdin to fix > their product, also Siemens, Athena and others, I guess another cycle > is required. Indeed :) I posted a proof-of-concept patch for OpenSC¹ but it was more of a demonstration of where the problem lies than a real fix. Partly because it *does* still leak file descriptors, AFAICT. > This fix should be in malformed providers, otherwise except of the > above, you also damage the well behaved providers. If an application *knows* that it will never use PKCS#11 after a fork(), as in this case where we *know* that we're always just going to exec something else, it certainly doesn't *damage* the well-behaved providers if we simply refrain from making that C_Initialize() call that we *know* to be gratuitous in the child. -- dwmw2 ¹ http://sourceforge.net/p/opensc/mailman/message/34086897/
