Bug#492282: "seahorse-agent --execute" leaks file descriptors
Stefan Fritsch
sf at sfritsch.de
Thu Jul 24 20:56:35 UTC 2008
Package: seahorse
Version: 2.22.3-1
Severity: normal
Tags: security
Seahorse leaks file descriptors to processes started with "seahorse-agent
--execute", including the gpg agent listening socket. For the default setup,
this means that all processes started from the desktop inherit those FDs and can
possibly use them. This can be a security issue because the FDs are also
inherited to processes started with su as a different user which normally would
not have access to gpg key and gpg agent socket.
Seahorse should use fcntl to set FD_CLOEXEC on its FDs.
PS: LVM complains about the open FDs, too:
$ su
Password:
# lvs
File descriptor 8 left open
File descriptor 9 left open
File descriptor 13 left open
...
PPS: You can use filan from the socat package to display information about the
open FDs.
More information about the pkg-gnome-maintainers
mailing list