run_command: Close non-std fds when execing slave processes (!30756) · Merge requests · bitcoin / bitcoin

Placeholder Luke Dashjr requested to merge github/fork/luke-jr/subproc_closefds into master Aug 29, 2024

Currently, RunCommandParseJSON runs its target with whatever fds happen to be open inherited on POSIX platforms. I don't think there's any practical scenario where this is a problem right now, but there's a lot of potential for weird problems (eg, if a process manages to outlive bitcoind - perhaps it's hanging - the listening port(s) won't get released and starting bitcoind again will fail). It's also a potential security issue if a child process is intended to be sandboxed at some point. Not to mention plain ugly :)

cpp-subprocess has a feature to address this called close_fds. Not sure why it was removed in #29961 rather than fixing this during the migration, but this PR restores it, enables it for RunCommandParseJSON, and optimises it by iterating over /proc/self/fd/ like most other libraries do these days (eg, glib) since iterating all possible fd numbers has been found to be problematic.

(Equivalent to #22417 was for boost::process)

run_command: Close non-std fds when execing slave processes

Merge request reports