2013/8/27 Antoine Pitrou <solip...@pitrou.net>:
>> On UNIX, the subprocess module closes almost all file descriptors in
>> the child process. This operation requires MAXFD system calls, where
>> MAXFD is the maximum number of file descriptors, even if there are
>> only few open file descriptors. This maximum can be read using:
>> os.sysconf("SC_OPEN_MAX").
>
> If your intent is to remove the closerange() call from subprocess, be
> aware that it may let through some file descriptors opened by
> third-party code (such as C extensions). This may or may not be
> something we want to worry about, but there's still a small potential
> for security regressions.The PEP doesn't change the default value of the close_fds parameter of subprocess: file descriptors and handles are still closed in the child process. I modified the PEP to explain the link between non-inheritable FDs and performances: http://hg.python.org/peps/rev/d88fbf9941fa If you don't use third party code, or if you control third party code and you know that these modules only create non-inheritable FDs, it is now safe (thanks to the PEP 446) to use close_fds=False... which avoids the cost of closing MAXFD file descriptors explicitly in the child process. Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
