[openssl-users] Session params output fails via cron

Jakob Bohm jb-openssl at wisemo.com
Mon Jan 7 16:06:15 UTC 2019 

On 04/01/2019 22:04, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Jordan Brown
>> Sent: Friday, January 04, 2019 13:16
>> If you want to, what you want is something like:
>>        int fd;
>>        do {
>>                fd = open("/dev/null", O_RDWR);
>>        } while (fd < 3);
>>        close(fd);
>> (That's strictly not quite right, since it leaves 0 open writable and 1 and 2 open readable,
>> but that's pretty harmless.)
> Behavior is unfortunate if open fails, e.g. because the NFILES limit is reached, or because /dev/null is inaccessible (e.g. due to a poorly-configured chroot). You'd be better off with (fd >= 0 && fd < 3).
>
> Since source bytes are cheap, though, and there are at most three opens to be done, I'd just do it explicitly for the three stdio descriptors. That would also make the intention clear. (Yes, the intention of your version is clear to old UNIX hands. It might not be to other people.)
>
> I'm ignoring portability considerations, since I personally don't think this would be a great thing to implement in the apps, so I'm not going to be submitting a PR for it.
>
A chroot with no other reason to open /dev/null should not contain that
file name, even on unix-like platforms (least privilege chroot design).

Please refer to my previous post about the many other reasons why
opening /dev/null has a high risk of failure.

Stepping back, it is worth investigating if:

  - Running TLS1.3 s_client with -ignoreeof and no stdin actually fails
   earlier than with stdin == /dev/null

  - If this is triggered by a code bug.

P.S.

On some Debian systems, cron runs scripts with stdout and stderr piped
(directly or indirectly) to a mail program that times out if a cron job
runs for a long time.


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list