ssh-agent: fix file descriptor inheritance (bug #3835) #583
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Remove closefrom() call which breaks user-provided command when it relies on inherited file descriptors. Fixes https://bugzilla.mindrot.org/show_bug.cgi?id=3835
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Remove
closefrom()call which breaks user-provided command when it relies on inherited file descriptors.This is a regression introduced in commit 66e9868 which introduces
closefrom()call closing all file descriptors above stderr (or open socket) which breaks file descriptor inheritance for any processes spawned by ssh-agent, is undocumented behavior, is mismatched from how upstream ssh-agent behaves and has no benefit.ssh-agent allows specifying arbitrary commands to be run:
Either of those can rely on pre-opened file descriptors as a means of communication or access control, especially in restricted environments (pledge, capsicum, seccomp-based sandboxes) where arbitrary open() and connect() are not available.
When running user-provided commands it's best practice to change the inherited process state as little as possible.