zabbix-1.8.3-cloexec.patch
[ZBX-1908] file/socket descriptors are leaking Created: 2010 Feb 01 Updated: 2017 May 30 Resolved: 2010 Aug 31 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Agent (G) |
| Affects Version/s: | 1.6.8, 1.8.1 |
| Fix Version/s: | 1.8.4, 1.9.0 (alpha) |
| Type: | Incident report | Priority: | Critical |
| Reporter: | Dan Horak | Assignee: | Unassigned |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Fedora 12 on x86_64 |
||
| Attachments: |
zabbix-1.8.3-cloexec.patch
|
| Description |
|
Some file/socket descriptors are leaking to child processes and that makes problems when running with SELinux enabled. It was first observed in agent when it runs "hostname" binary, first issue was a file descriptor for the pid file and after fixing this I have seen leaking sockets. Please see http://www.zabbix.com/forum/showthread.php?t=15671 for patches. |
| Comments |
| Comment by Dan Horak [ 2010 Feb 01 ] |
|
More information on Secure File Descriptor Handling is available at http://udrepper.livejournal.com/20407.html |
| Comment by Alexei Vladishev [ 2010 Feb 18 ] |
|
Dan, Thanks for reporting this. Interesting read. Please could you explain briefly how file/sockets descriptors may leak to the external binary executed by Zabbix agent. We do not do forks()! I read the article, but it confused me even more! Alexei |
| Comment by Dan Horak [ 2010 Feb 19 ] |
|
But you are using popen() in EXECUTE_STR() in libs/zbxsysinfo/common/common.c and popen() uses fork() + execl() internally. |
| Comment by Alexei Vladishev [ 2010 Mar 11 ] |
|
I do not see how this may be resolved because we have a network connection to Zabbix Server open while processing popen(), we just cannot close it. It looks very much like OS level problem. |
| Comment by Dan Horak [ 2010 Mar 17 ] |
|
Normally the socket and file descriptors are inherited from parent to the child after a fork() and they can be not needed in the child, especially when you are calling an external binary with exec(). The FD_CLOEXEC flag ensures, that the descriptors are closed for the child process only after it calls exec() and in the parent they remain normally open. |
| Comment by Dan Horak [ 2010 Aug 17 ] |
|
original patch rebased to 1.8.3 |
| Comment by Aleksandrs Saveljevs [ 2010 Aug 25 ] |
|
Additional reading: https://www.securecoding.cert.org/confluence/display/seccode/FIO42-C.+Ensure+files+are+properly+closed+when+they+are+no+longer+needed . |
| Comment by Aleksandrs Saveljevs [ 2010 Aug 25 ] |
|
Fixed in development branch svn://svn.zabbix.com/branches/dev/zbx-1908-descriptors-leaking. |
| Comment by Aleksandrs Saveljevs [ 2010 Aug 31 ] |
|
Merged into pre-1.8.4 in r14194. |
