Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-97514: [3.12+] Authenticate the forkserver control socket. #99309

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

gh-97514: [3.12+] Authenticate the forkserver control socket. #99309

wants to merge 7 commits into from
+133 −16

Conversation

gpshead
Copy link
Member

@gpshead gpshead commented Nov 10, 2022
edited

This adds authentication. In the past only filesystem permissions protected this socket from code injection into the forkserver process by limiting access to the same UID, which didn't exist when Linux abstract namespace sockets were used (see issue) meaning that any process in the same system network namespace could inject code.

This reuses the hmac based shared key auth already used on multiprocessing sockets used for other purposes.

Doing this is useful so that filesystem permissions are not relied upon and trust isn't implied by default between all processes running as the same UID.

Tasks remaining

  • clean up the file descriptor leak from the new tests.

@gpshead
Authenticate the forkserver control socket.
d82afc8 
This adds authentication. In the past only filesystem permissions
protected this socket from code injection into the forkserver process by
limiting access to the same UID, which didn't exist when Linux abstract
namespace sockets were used (see issue) meaning that any process in the
same system network namespace could inject code.

This reuses the hmac based shared key auth already used on
multiprocessing sockets used for other purposes.

Doing this is useful so that filesystem permissions are not relied upon
and trust isn't implied by default between all processes running as the
same UID.
@gpshead gpshead added type-feature A feature request or enhancement 3.12 expert-multiprocessing labels Nov 10, 2022
@bedevere-bot bedevere-bot mentioned this pull request Nov 10, 2022
Closed
@gpshead gpshead self-assigned this Nov 10, 2022
@gpshead gpshead changed the title gh-97514: Authenticate the forkserver control socket. gh-97514: [3.12+] Authenticate the forkserver control socket. Nov 10, 2022
@gpshead gpshead requested review from vstinner and iritkatriel Nov 11, 2022
@gpshead gpshead added the 🔨 test-with-buildbots Test the PR with the buildbot fleet and report in the status section label Nov 11, 2022
@bedevere-bot
Copy link

bedevere-bot commented Nov 11, 2022

🤖 New build scheduled with the buildbot fleet by @gpshead for commit c83193d 🤖

If you want to schedule another build, you need to add the "🔨 test-with-buildbots" label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test the PR with the buildbot fleet and report in the status section label Nov 11, 2022
@gpshead
Copy link
Member Author

gpshead commented Nov 11, 2022

from the buildbots... tests leak some file descriptors. not too surprising given the bit of code the test pokes into, i'll see what can be done to manage those.

gpshead added 3 commits Nov 13, 2022
@gpshead
Fix refleaks in the test.
14f6f4d 
I can't add new testcases to test_multiprocessing_forkserver itself, i
had to put them within an existing _test_multiprocessing test class.  I
don't know why, but refleaks are fragile and that test suite is...
rediculiously complicated with all that it does.
@gpshead
minor news wording tweak.
8c5f7f4
@gpshead
fix the hang on macOS by removing part of the test.
ca47b6f 
I'm not sure _why_ the hang happened, the forkserver process wasn't exiting when
the alive_w fd was closed in the parent during tearDownModule(), instead it remained
in its selector() loop.  regardless the part of the test this removes fixes it and
it only happened on macOS.
@gpshead gpshead added the 🔨 test-with-buildbots Test the PR with the buildbot fleet and report in the status section label Nov 13, 2022
@bedevere-bot
Copy link

bedevere-bot commented Nov 13, 2022

🤖 New build scheduled with the buildbot fleet by @gpshead for commit ca47b6f 🤖

If you want to schedule another build, you need to add the "🔨 test-with-buildbots" label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test the PR with the buildbot fleet and report in the status section label Nov 13, 2022
@gpshead gpshead mentioned this pull request Nov 20, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner

@iritkatriel iritkatriel

Assignees

@gpshead gpshead

Labels
3.12 awaiting core review expert-multiprocessing type-feature A feature request or enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gpshead @bedevere-bot