summaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
authorDenys Vlasenko2016-08-20 15:58:34 +0200
committerDenys Vlasenko2016-08-20 15:58:34 +0200
commit7b25b1c5b2794a499c8ae99db75830a6d564561e (patch)
treec136ae68fd879d80277eebac0ef7686b749181df /README
parent869994cf4f9647fdfb519a1945f8582e71d3df3d (diff)
downloadbusybox-7b25b1c5b2794a499c8ae99db75830a6d564561e.zip
busybox-7b25b1c5b2794a499c8ae99db75830a6d564561e.tar.gz
hush: do not leak script fds into NOEXEC children
We set all opened script fds to CLOEXEC, thus making then go away after fork+exec. Unfortunately, CLOFORK does not exist. NOEXEC children will still see those fds open. For one, "ls" applet is NOEXEC. Therefore running "ls -l /proc/self/fd" in a script from standalone shell shows this: lrwx------ 1 root root 64 Aug 20 15:17 0 -> /dev/pts/3 lrwx------ 1 root root 64 Aug 20 15:17 1 -> /dev/pts/3 lrwx------ 1 root root 64 Aug 20 15:17 2 -> /dev/pts/3 lr-x------ 1 root root 64 Aug 20 15:17 3 -> /path/to/top/level/script lr-x------ 1 root root 64 Aug 20 15:17 4 -> /path/to/sourced/SCRIPT1 ... with as many open fds as there are ". SCRIPTn" nest levels. Fix it by closing these fds after fork (only for NOEXEC children). Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'README')
0 files changed, 0 insertions, 0 deletions