From: Ricardo Branco Subject: Re: [PATCH]: Add POSIX O_CLOFORK flag To: Philip Guenther Cc: tech@openbsd.org Date: Sun, 22 Jun 2025 13:42:51 +0200 On 6/22/25 2:35 AM, Philip Guenther wrote: > On Sat, Jun 21, 2025 at 4:44 PM Philip Guenther wrote: >> On Sat, Jun 21, 2025 at 4:04 PM Ricardo Branco wrote: >>> This initial patch adds support for POSIX O_CLOFORK (close-on-fork) flag. >>> >>> If there's interest, I can update manpages and fill the TODO list in the PR: >>> https://github.com/openbsd/src/pull/46 >>> >>> I uploaded the full test-suite from Illumos adapted to OpenBSD there. >>> >>> Work also being done to add this flag on: >>> >>> - FreeBSD: https://github.com/freebsd/freebsd-src/pull/1698 >>> - DragonflyBSD: https://github.com/DragonFlyBSD/DragonFlyBSD/pull/28 >>> >>> The discussion for adding this flag was done in the FreeBSD PR. >> Nope. I implemented this myself last summer, but after Damien Miller >> suggest that OpenSSH would want to clear the flag on inherited fds we >> decided the specified behavior of O_CLOFORK being inherited across >> exec is insecure, unnecessary for purpose, and kinda insane. I opened >> a ticket with austin group: >> https://austingroupbugs.net/view.php?id=1851 >> >> Geoff Clare was going to reach out to other implementations to get >> feedback but nothing has happened since. >> >> Maybe we should say that more than 10 months was sufficient for >> austin-group to address a potential security issue, in which case I'll >> rebase my diff, but with clearing the flag on exec because WTH were >> they thinking. > Rebased diff, with cleared-on-exec behavior, attached, in case you > want to play with it, Richardo. > Regress tests would be wonderful :) > I just took a look at your patch. You saved me quite some time with stuff I missed and the manpages... I'll be testing it today. What is the policy for including CDDL code? The Illumos tests are CDDL. I'm not surprised at all that people didn't notice O_CLOFORK was already in Solaris & Illumos, because Google sucks and the dictionaries that added the term should revert that change. Best, Ricardo