Issue 17070: PEP 433: Use the new cloexec to improve security and avoid bugs (original) (raw)

Created on 2013-01-29 13:09 by vstinner, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (4)
msg180905 - (view)	Author: STINNER Victor (vstinner) *	Date: 2013-01-29 13:09
Attached patches use the new cloexec parameter added by the PEP 433 (see issue #17036). cloexec_fs_walk.patch: [security] don't leak a file descriptors of directories to a child processes cloexec_listening_socket.patch: [security] don't leak a listening socket to child processes, see also #12107 cloexec_log_file.patch: [security] don't leak the file descriptor of a log file to child processes cloexec_subprocess.patch: [security/bugs] don't leak file descriptors to child processes cloexec_misc.patch: misc mmodules "security" is a strong word: if subprocess is called with close_fds=True, there is no such problem at all. It's more a theorical problem if a process is created in another thread without using the subprocess module (but directly low level functions).
msg194164 - (view)	Author: Charles-François Natali (neologix) *	Date: 2013-08-02 08:34
Time to close this one, since the PEP has been superseeded by PEP 446?
msg195832 - (view)	Author: STINNER Victor (vstinner) *	Date: 2013-08-21 22:41
> Time to close this one, since the PEP has been superseeded by PEP 446? I prefer to wait until Guido decided for the PEP 446.
msg196333 - (view)	Author: STINNER Victor (vstinner) *	Date: 2013-08-27 23:25
The PEP 446 has been implemented (see issue #18571), this issue can be closed.