From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephane Chazelas Subject: newline characters in unix socket names and /proc/net/unix Date: Sat, 14 Mar 2015 22:33:42 +0000 Message-ID: <20150314223342.GA4146@chaz.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Werner Almesberger , Vic Abell To: netdev@vger.kernel.org Return-path: Received: from mail-wg0-f54.google.com ([74.125.82.54]:33695 "EHLO mail-wg0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751059AbbCNWdq (ORCPT ); Sat, 14 Mar 2015 18:33:46 -0400 Received: by wgbcc7 with SMTP id cc7so13095034wgb.0 for ; Sat, 14 Mar 2015 15:33:44 -0700 (PDT) Content-Disposition: inline Sender: netdev-owner@vger.kernel.org List-ID: Hello, it seems the kernel doesn't escape newline characters in the file names displayed in /proc/net/unix That file has this format: Num RefCount Protocol Flags Type St Inode Path ffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /run/systemd/shutdownd ffff8800a0651780: 00000002 00000000 00010000 0001 01 37020 /tmp/.menu-cached-:0-stephane [...] and is used by things like fuser, lsof for instance to map Inode to Path (and libgtop, systemd (to check which sockets are still in use for cleanup) at least). # fuser /run/systemd/shutdownd /run/systemd/shutdownd: 1 # fuser /tmp/.menu-cached-:0-stephane /tmp/.menu-cached-:0-stephane: 4263 Now, one can bind a socket like: socket=$'/tmp/foo\nffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /tmp/.menu-cached-:0-stephane' mkdir -p "${socket%/*}" nc -lU "$socket" Now /proc/net/unix has Num RefCount Protocol Flags Type St Inode Path ffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /run/systemd/shutdownd ffff8800a0651780: 00000002 00000000 00010000 0001 01 37020 /tmp/.menu-cached-:0-stephane ffff880104af9400: 00000002 00000000 00010000 0001 01 5918000 /tmp/foo ffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /tmp/.menu-cached-:0-stephane And fuser gives: # fuser /run/systemd/shutdownd # fuser /tmp/.menu-cached-:0-stephane /tmp/.menu-cached-:0-stephane: 1 4263 Which could be a problem if the output of fuser were used to decide what process to kill (like with -k). I think at least newline characters (and the escape character itself) should be escaped in there, maybe do something similar to what is currently done for the process name in /proc/self/status (fuser and lsof and the other tools would also need to be updated to take the change into account, note that lsof already chokes on space/tab/colon in there which I've already reported to Vic). Also note that /proc/net/unix doesn't change after a socket file has been renamed, so even after that issue is fixed, fuser -k on a socket may not be very reliable. Maybe it would help if the filesystem device/inode for the socket file were added to /proc/net/unix and/or if the path was updated like for the symlink targets of /proc/self/fd/*. -- Stephane