From 3f90020d6216843f73f829a7c7cb1a3b64d596fc Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Mon, 10 Feb 2014 15:51:52 -0600 Subject: [PATCH] Open LOG_LOCK file with FD_CLOEXEC to prevent file descriptor leakage Fixes #5399 --- lib/ansible/callbacks.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/ansible/callbacks.py b/lib/ansible/callbacks.py index 4681dd2fe0..ccee06ebd2 100644 --- a/lib/ansible/callbacks.py +++ b/lib/ansible/callbacks.py @@ -74,12 +74,19 @@ def get_cowsay_info(): cowsay, noncow = get_cowsay_info() def log_lockfile(): + # create the path for the lockfile and open it tempdir = tempfile.gettempdir() uid = os.getuid() path = os.path.join(tempdir, ".ansible-lock.%s" % uid) - return path - -LOG_LOCK = open(log_lockfile(), 'w') + lockfile = open(path, 'w') + # use fcntl to set FD_CLOEXEC on the file descriptor, + # so that we don't leak the file descriptor later + lockfile_fd = lockfile.fileno() + old_flags = fcntl.fcntl(lockfile_fd, fcntl.F_GETFD) + fcntl.fcntl(lockfile_fd, fcntl.F_SETFD, old_flags | fcntl.FD_CLOEXEC) + return lockfile + +LOG_LOCK = log_lockfile() def log_flock(runner): if runner is not None: