[Haskell-cafe] Re: Bug in runInteractiveProcess?

Brandon S. Allbery KF8NH allbery at ece.cmu.edu
Wed Oct 17 09:53:13 EDT 2007

On Oct 17, 2007, at 1:32 , Donn Cave wrote:

> On Oct 16, 2007, at 9:52 PM, Brandon S. Allbery KF8NH wrote:
>> Either implementation causes problems; security folks tend to  
>> prefer that all file descriptors other than 0-2 (0-4 on Windows?)  
>> be closed, and 0-2(4) be forced open (on /dev/null if they're not  
>> already open).  But in this case, the idea is to set FD_CLOEXEC on  
>> (and only on) file descriptors opened by the Haskell runtime, so  
>> you would get the same effect as tracking file descriptors manually.
> I can't speak for security folks, but for me, the way you put it  
> goes way too far.
> The file descriptors at issue were opened by runInteractiveProcess,  
> and
> FD_CLOEXEC on them would solve the whole problem (I think.)  Is that
> what you mean?  To set this flag routinely on all file descriptors  
> opened in
> any way would require a different justification, and it would have  
> to be a
> pretty good one!

Well, security folks (professional paranoids :) tend to consider  
passing anything other than standard file descriptors to arbitrary  
subprocesses to be a potential uncontrolled information leak.  There  
*are* times when you want to care about this, but in general there is  
a tradeoff between secure and usable so most practical systems take  
the middle road and make the programmer do fd swizzling by hand if  
they need special behavior in either direction (either more or less  
sharing, that is).  (Early Unix, on the other hand, erred toward the  
permissive/promiscuous, cf. your NetBSD source comparison.)

brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery at kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery at ece.cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH

More information about the Haskell-Cafe mailing list