geomind_code/my_init
0
0
Fork 0
Code Issues 23 Pull requests Projects Releases Packages Wiki Activity Actions

[CRITICAL] FD leak to child processes -- hardcoded 1024 limit #18

New issue
Open
opened 2026-05-11 10:52:01 +00:00 by thabeta · 1 comment
thabeta commented 2026-05-11 10:52:01 +00:00
Owner
Copy link

Problem

In process.rs, the pre_exec closure closes inherited FDs 3..1024. This hardcoded limit means any FD numbered 1024 or higher leaks to child processes.

On a busy server, the supervisor can easily open FDs beyond 1024:

  • IPC connections (each client = 1 FD)
  • Log files (per-service file logging)
  • cgroup FDs
  • Syslog receiver socket
  • Timer file descriptors

Impact

  • Child processes inherit my_init's internal sockets (IPC, syslog), potentially causing FD exhaustion in services
  • Leaked sockets could allow compromised services to communicate with the supervisor
  • Violates the principle of least privilege for process isolation

Files

  • crates/my_init_server/src/process.rs -- pre_exec closure in spawn_process

Suggested Fix

Use posix_closefrom(3) (Linux 3.17+) or iterate /proc/self/fd to close all FDs beyond 2. This removes the hardcoded limit entirely.

## Problem In `process.rs`, the `pre_exec` closure closes inherited FDs 3..1024. This hardcoded limit means any FD numbered 1024 or higher leaks to child processes. On a busy server, the supervisor can easily open FDs beyond 1024: - IPC connections (each client = 1 FD) - Log files (per-service file logging) - cgroup FDs - Syslog receiver socket - Timer file descriptors ## Impact - Child processes inherit my_init's internal sockets (IPC, syslog), potentially causing FD exhaustion in services - Leaked sockets could allow compromised services to communicate with the supervisor - Violates the principle of least privilege for process isolation ## Files - `crates/my_init_server/src/process.rs` -- `pre_exec` closure in `spawn_process` ## Suggested Fix Use `posix_closefrom(3)` (Linux 3.17+) or iterate `/proc/self/fd` to close all FDs beyond 2. This removes the hardcoded limit entirely.
salmaelsoly commented 2026-05-11 13:30:55 +00:00
Member
Copy link

Classification: valid-bug — hardcoded FD close range 3..1024 causes FDs >= 1024 to leak to child processes.

Confirmed by code inspection at crates/my_init_server/src/process.rs:389. The pre_exec closure iterates for fd in 3..1024 { libc::close(fd); }. On servers with many IPC connections, log files, cgroup FDs, and sockets, FDs can easily exceed 1024. These leaked FDs allow child processes to inherit my_init's internal sockets (IPC, syslog), potentially enabling communication with the supervisor from compromised services. The fix is to use close_range() or iterate /proc/self/fd.

> Classification: valid-bug — hardcoded FD close range 3..1024 causes FDs >= 1024 to leak to child processes. Confirmed by code inspection at crates/my_init_server/src/process.rs:389. The pre_exec closure iterates for fd in 3..1024 { libc::close(fd); }. On servers with many IPC connections, log files, cgroup FDs, and sockets, FDs can easily exceed 1024. These leaked FDs allow child processes to inherit my_init's internal sockets (IPC, syslog), potentially enabling communication with the supervisor from compromised services. The fix is to use close_range() or iterate /proc/self/fd.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
feature/health-pending-state
feature/remove-web-handlers
feature/fire-and-forget-mutations
main
feat/shim-and-cgroups
No results found.
Labels
Clear labels   
bug

   
critical

   
enhancement

   
security
No labels
bug
critical
enhancement
security
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
geomind_code/my_init#18
No description provided.