Description
As of CL 501223, under various circumstances we enforce that when the runtime initializes, the standard file descriptors (0, 1, 2) are open and if they are not attempt to open them, pointing to /dev/null. This negates a class of privilege escalation vulnerabilities.
I propose that we always enforce this behavior, regardless of the SUID/SGID status of a program. Ignoring the dangerous behavior this can enable, it also seems confusing on the face that a program could be executed and os.Std{in,out,err} could be closed, or point to unexpected file descriptors if the program opens files itself, without a simple way for the program to determine this itself.
Enforcing these descriptors are open makes programs safe by default, and makes the behavior of a program much more easy to reason about without deep knowledge about the mechanisms of the os.Std{in,out,err} abstractions and unix file descriptor inheritance and precedence semantics.
Rust already enforces this behavior across the board: https://github.com/rust-lang/rust/blob/3572d7451d1062e8bccf310af6bbf6255091d296/library/std/src/sys/unix/mod.rs#L81-L164, rust-lang/rust#75295.