This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gregory.p.smith
Recipients gregory.p.smith, izbyshev, koobs, pablogsal, ronaldoussoren, vstinner
Date 2019-01-26.23:18:52
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
> * Decide whether "setxid problem"[5] is important enough to worry about.
> [5]

This is a scary issue.  But I think a reasonable approach could be to never use vfork when running as whatever we choose to define a "privileged user" to be.

getuid() or geteuid() return 0?  don't use vfork.

the concept of "privileged user" can obviously mean a lot more than that and likely goes beyond what we should attempt to ascertain ourselves.

How about also providing a disable-only global setting so that someone writing code they consider to have elevated privileges can prevent its use entirely.  subprocess.disable_use_of_vfork() and subprocess.is_vfork_enabled() calls perhaps (just setting/reading a static int vfork_disallowed = 0 flag within _posixsubprocess.c).

If we did that, on systems where posix_spawn() _might_ be implemented using vfork() we'd want to avoid using it based on is_vfork_enabled().

True setuid vs vfork attack security would suggest code needs to opt-in to vfork() or posix_spawn() rather than opt-out.  Which would destroy the benefit for most users (who won't bother) for the sake of an issue that just is not what most code ever does (setuid/setgid/etc. calls are very uncommon for most software).

I think documenting "HEY, if you are running as with elevated privileges, here's a reason why you might want to disable vfork, and how to do it." should be enough.  Hopefully not famous last words.
Date User Action Args
2019-01-26 23:18:54gregory.p.smithsetrecipients: + gregory.p.smith, ronaldoussoren, vstinner, koobs, izbyshev, pablogsal
2019-01-26 23:18:52gregory.p.smithsetmessageid: <>
2019-01-26 23:18:52gregory.p.smithlinkissue35823 messages
2019-01-26 23:18:52gregory.p.smithcreate