BUG: shpool attach fails to close file descriptors

[skissane-medallia]

AI Policy Ack
Ack

What happened
Run this command: shpool attach fd-test --cmd='ls -l /proc/self/fd'

Get output like this:

total 0
lrwx------. 1 codespace codespace 64 May  9 05:26 0 -> /dev/pts/12
lrwx------. 1 codespace codespace 64 May  9 05:26 1 -> /dev/pts/12
lrwx------. 1 codespace codespace 64 May  9 05:26 11 -> /dev/pts/12
lrwx------. 1 codespace codespace 64 May  9 05:26 13 -> /dev/pts/ptmx
lrwx------. 1 codespace codespace 64 May  9 05:26 18 -> /dev/pts/ptmx
lrwx------. 1 codespace codespace 64 May  9 05:26 2 -> /dev/pts/12
lrwx------. 1 codespace codespace 64 May  9 05:26 23 -> /dev/pts/ptmx
lr-x------. 1 codespace codespace 64 May  9 05:26 3 -> /proc/4171019/fd

When we spawn a subprocess, it should only inherit fds 0-2. ls -l will open a third fd to read the target directory. But we shouldn't be inheriting fds like 11,13,18,23.

I guess the issue is the fd is not being opened with O_CLOEXEC? The problem is likely shpool_pty not using that in open call. But then you want to turn it off with FD_SETFD on FD_CLOXEC on fds 0, 1, and 2 just before the exec, so the exec doesn't close them, I guess.

What I expected to happen
Get output like this:

$ ls -l /proc/self/fd
total 0
lrwx------. 1 codespace codespace 64 May  9 05:30 0 -> /dev/pts/15
lrwx------. 1 codespace codespace 64 May  9 05:30 1 -> /dev/pts/15
lrwx------. 1 codespace codespace 64 May  9 05:30 2 -> /dev/pts/15
lr-x------. 1 codespace codespace 64 May  9 05:30 3 -> /proc/292647/fd

To Reproduce
Steps to reproduce the behavior:
shpool attach fd-test --cmd='ls -l /proc/self/fd'

Version info
shpool 0.10.0

Logs
Probably not necessary

[ethanpailes]

Nice catch, thanks! Do you want to try to fix this (totally fine if not)? It's probably a bit in the weeds of wading through the shell startup code, but I imagine the fix is going to be a relatively small patch.

[skissane-medallia]

@ethanpailes I'd be happy to give it a go... but I'm still waiting on approval from my employer to contribute.

Unfortunately, it is a multi-stage approval process, and realistically it might take another week.

[ethanpailes]

No worries, I'm not rushing for the next release, I'll wait for you to get approval to contribute.