cpython icon indicating copy to clipboard operation
cpython copied to clipboard
Published 1 week ago verified publisher icon python

gh-97514: [3.12+] Authenticate the forkserver control socket.

Open gpshead opened this issue 3 years ago • 1 comments

This adds authentication. In the past only filesystem permissions protected this socket from code injection into the forkserver process by limiting access to the same UID, which didn't exist when Linux abstract namespace sockets were used (see issue) meaning that any process in the same system network namespace could inject code.

This reuses the hmac based shared key auth already used on multiprocessing sockets used for other purposes.

Doing this is useful so that filesystem permissions are not relied upon and trust isn't implied by default between all processes running as the same UID.

  • Issue: gh-97514

Tasks remaining

  • [x] Add explicit forkserver control auth presence, valid, invalid, accepted, & denied unit tests.
  • [x] Add a NEWS entry.

gpshead avatar Nov 10 '22 00:11 gpshead

:robot: New build scheduled with the buildbot fleet by @gpshead for commit c83193dc5645de8b6f9d33d5fe7a013a1bf88b6e :robot:

If you want to schedule another build, you need to add the ":hammer: test-with-buildbots" label again.

bedevere-bot avatar Nov 11 '22 08:11 bedevere-bot

from the buildbots... tests leak some file descriptors. not too surprising given the bit of code the test pokes into, i'll see what can be done to manage those.

gpshead avatar Nov 11 '22 21:11 gpshead

:robot: New build scheduled with the buildbot fleet by @gpshead for commit ca47b6f9ab9e8966cac41438a14dd17015087d33 :robot:

If you want to schedule another build, you need to add the ":hammer: test-with-buildbots" label again.

bedevere-bot avatar Nov 13 '22 18:11 bedevere-bot