From 081bb6a7bd9642ee3d5bb9b697c24f89535416de Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 10 Sep 2022 23:19:02 +0200 Subject: services: shepherd: Open /dev/null as O_CLOEXEC. Failing to do that, that file descriptor could be inherited by child processes as of Shepherd 0.9.2. * gnu/services/shepherd.scm (shepherd-configuration-file): Open /dev/null as O_CLOEXEC. --- gnu/services/shepherd.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/services/shepherd.scm') diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm index 4fd4b2a497..a8f6db9ce2 100644 --- a/gnu/services/shepherd.scm +++ b/gnu/services/shepherd.scm @@ -387,7 +387,7 @@ as shepherd package." ;; call; this avoids situations where services wrongfully lead ;; PID 1 to read from stdin (the console), which users may not ;; have access to (see ). - (redirect-port (open-input-file "/dev/null") + (redirect-port (open "/dev/null" (logior O_RDONLY O_CLOEXEC)) (current-input-port))))) (scheme-file "shepherd.conf" config))) -- cgit 1.4.1 From 66fdaf3677e5f7833a02096a2bcb1e9653efbb16 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 12 Sep 2022 14:29:45 +0200 Subject: services: shepherd: Install O_CLOEXEC variant of 'call-with-input-file' & co. Fixes a bug introduced with the Shepherd 0.9.2 upgrade in commit 1ba0e38267c9ff8bb476285091be6e297bbf136e whereby files opened by, say, the 'start' method of 'urandom-seed', could leak into the execution environment of some other service--e.g., 'term-tty4'. * gnu/services/shepherd.scm (shepherd-configuration-file)[config]: Override 'call-with-input-file' and 'call-with-output-file'. --- gnu/services/shepherd.scm | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'gnu/services/shepherd.scm') diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm index a8f6db9ce2..61f759a19d 100644 --- a/gnu/services/shepherd.scm +++ b/gnu/services/shepherd.scm @@ -344,6 +344,31 @@ as shepherd package." (use-modules (srfi srfi-34) (system repl error-handling)) + (define (call-with-file file flags proc) + (let ((port #f)) + (dynamic-wind + (lambda () + (set! port (open file flags))) + (lambda () + (proc port)) + (lambda () + (close-port port) + (set! port #f))))) + + ;; There's code run from shepherd that uses 'call-with-input-file' & + ;; co.--e.g., the 'urandom-seed' service. Starting from Shepherd + ;; 0.9.2, users need to make sure not to leak non-close-on-exec file + ;; descriptors to child processes. To address that, replace the + ;; standard bindings with O_CLOEXEC variants. + (set! call-with-input-file + (lambda (file proc) + (call-with-file file (logior O_RDONLY O_CLOEXEC) + proc))) + (set! call-with-output-file + (lambda (file proc) + (call-with-file file (logior O_WRONLY O_CREAT O_CLOEXEC) + proc))) + ;; Specify the default environment visible to all the services. ;; Without this statement, all the environment variables of PID 1 ;; are inherited by child services. -- cgit 1.4.1