#10991 closed defect (fixed)
Avoid log file descriptor leakage
| Reported by: | Owned by: | Remy Blank | |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.0.1 |
| Component: | general | Version: | |
| Severity: | normal | Keywords: | selinux |
| Cc: | bunk@… | Branch: | |
| Release Notes: |
Close file descriptors when shelling out to sendmail to avoid file descriptor leakage. |
||
| API Changes: | |||
| Internal Changes: | |||
Description
When trac is configured to log to a file and sends mail notifications via sendmail, SELinux complains:
type=AVC msg=audit(1356034258.828:30164):
avc: denied { append } for pid=28546 comm="sendmail"
path="/tmp/trac.log" dev=sda1 ino=673386
scontext=system_u:system_r:system_mail_t:s0
tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file
Attached patch against the current trunk revision r11179 sets the FD_CLOEXEC flag on the log file descriptor to avoid leaking it to forked children including sendmail.
More info about fd leaks and SELinux: http://danwalsh.livejournal.com/53603.html
Attachments (1)
Change History (10)
by , 12 years ago
| Attachment: | log.py.diff added |
|---|
follow-up: 4 comment:1 by , 12 years ago
comment:2 by , 12 years ago
Good questions.
- SQLite uses close on exec since 2007: https://www.sqlite.org/src/info/f1e5fed8eb
- Yes, close_fds is better and shorter for this case: http://docs.python.org/2/library/subprocess.html#popen-constructor And no: there might be other places where trac executes a subprocess.
- I suspect closing all fds till 99 causes the SELinux check: http://code.metager.de/source/xref/postfix-debian/src/sendmail/sendmail.c#950
comment:3 by , 12 years ago
Ping (sorry to bug you, but this is an easy to fix issue, so if you don't have further questions just apply one or both ways to fix it)
comment:4 by , 12 years ago
Replying to rblank:
- Could we solve this in a more generic way by setting
close_fds=Truewhen using thesubprocessmodule (on non-Windows only)?
Looks like we already do that for all other calls to subprocess.call and subprocess.Popen:
- source:trunk/tracopt/versioncontrol/git/tests/PyGIT.py@11483:164#L164
- source:trunk/tracopt/versioncontrol/git/PyGIT.py@11483:122-125#L120
- (could be simplified using
trac.util.compat.close_fds)
- (could be simplified using
- source:trunk/trac/tests/functional/testenv.py@11483:125-127,143-145,150-153,177-179,228-229#L125
- (imports both
trac.util.compat.close_fdsandtrac.tests.functional.compat.close_fds) - (also contains one more Windows-only
callcall)
- (imports both
- source:trunk/trac/db/postgres_backend.py@11483:174-175,194#L174
- source:trunk/trac/db/mysql_backend.py@11483:225#L225
- source:trunk/trac/tests/functional/svntestenv.py@11483:20-21,23-24#L20
Some history digging suggests this was an oversight, not a deliberate decision:
- [5951] Added
close_fds=Trueparameters (in functional testing sandbox) - [6001] Added
close_fds=close_fdsWindows compat flag - [7935] Introduced
SendmailEmailSender(in trunk) - [8027] Moved flag to
trac.util.compat - [8031] Added some more usages (still in testing sandbox)
- [8131] Merged flag from testing sandbox to trunk
comment:5 by , 12 years ago
| Milestone: | → 1.0.1 |
|---|---|
| Owner: | set to |
| Status: | new → assigned |
Thanks for checking! So this is a strong indicator that the close_fds solution is the right one.
comment:6 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Added close_fds when calling sendmail in [11496].
comment:8 by , 12 years ago
OT: Coincidentally today pep:0433 was posted, proposing some easier way to suppress file descriptor leaks. (For Python 3.4)
comment:9 by , 11 years ago
| Release Notes: | modified (diff) |
|---|
Interesting, thanks for the patch. I have a few questions.
close_fds=Truewhen using thesubprocessmodule (on non-Windows only)?