Greetings,
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> David Steele <david@pgmasters.net> writes:
> > On 6/21/19 9:45 AM, Tom Lane wrote:
> >> +1 for using O_CLOEXEC on machines that have it. I don't think I want to
> >> jump through hoops for machines that don't have it --- POSIX has required
> >> it for some time, so there should be few machines in that category.
>
> > Another possible issue is that if we allow a child process to inherit
> > all these fds it might accidentally write to them, which would be bad.
> > I know the child process can go and maliciously open and trash files if
> > it wants, but it doesn't seem like we should allow it to happen
> > unintentionally.
>
> True. But I don't want to think of this as a security issue, because
> then it becomes a security bug to forget O_CLOEXEC anywhere in the
> backend, and that is a standard we cannot meet. (Even if we could
> hold to it for the core code, stuff like libperl and libpython can't
> be relied on to play ball.) In practice, as long as we use O_CLOEXEC
> for files opened by fd.c, that would eliminate the actual too-many-fds
> hazard. I don't object to desultorily looking around for other places
> where we might want to add it, but personally I'd be satisfied with a
> patch that CLOEXEC-ifies fd.c.
Agreed, it's not a security issue, and also agreed that we should
probably get it done with fd.c right off, and then if someone wants to
think about other places where it might be good to do then more power to
them and it seems like we'd be happy to accept such patches.
Thanks,
Stephen