fork without exec needs to start being considered an unreasonable security risk.
Not only is it UB in multi-threaded parents. It also limits you to blacklist model for scrubbing sensitive data, vs whitelist with fork+exec
-
-
@RichFelker Used wisely, fork w/o exec is actually a way to contain sensitive data to a temporary sub-process. popa3d and pam_tcb do that. -
@solardiz Sure. Tweets are too short for subtlety. :-( But the more common usage is cloning a session from a parent full of sensitive data. -
@solardiz I don't mean you can't do smart things with fork, just that the typical uses are serious risks.
End of conversation
New conversation -
-
-
@RichFelker But is there a workable fork+exec syscall proposal? Or should use of pthread disable fork? -
@justincormack fork is fine as long as you exec afterwards. posix_spawn can be implemented without fork but that's just an efficiency matter -
@RichFelker yeah posix spawn could do with wider use. The complaints that you can't drop privs are misguided as they assume threads...
End of conversation
New conversation -
-
-
@RichFelker e.g. we know sshd on Owl is not multi-threaded, so we enable pam_tcb's fork for its shadow files processing in /etc/pam.d/sshdThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@RichFelker And yes, this is risky if the calling process is multi-threaded, which is why in pam_tcb it's enabled with a non-default optionThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.