common-main: call sanitize_stdfds()

This is setup that should be done in every program for
safety, but we never got around to adding it everywhere (so
builtins benefited from the call in git.c, but any external
commands did not). Putting it in the common main() gives us
this safety everywhere.

Note that the case in daemon.c is a little funny. We wait
until we know whether we want to daemonize, and then either:

 - call daemonize(), which will close stdio and reopen it to
   /dev/null under the hood

 - sanitize_stdfds(), to fix up any odd cases

But that is way too late; the point of sanitizing is to give
us reliable descriptors on 0/1/2, and we will already have
executed code, possibly called die(), etc. The sanitizing
should be the very first thing that happens.

With this patch, git-daemon will sanitize first, and can
remove the call in the non-daemonize case. It does mean that
daemonize() may just end up closing the descriptors we
opened, but that's not a big deal (it's not wrong to do so,
nor is it really less optimal than the case where our parent
process redirected us from /dev/null ahead of time).

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/common-main.c b/common-main.c
index 57c912a78e3f12665ee5afbacb8c5e69a5f4a53c..353c6ea175bba31fb4367f98e970195beb9e2a60 100644 (file)
--- a/common-main.c
+++ b/common-main.c
@@ -1,4 +1,4 @@
-#include "git-compat-util.h"
+#include "cache.h"
 #include "exec_cmd.h"
 
 int main(int argc, char **av)
@@ -9,6 +9,13 @@ int main(int argc, char **av)
         */
        const char **argv = (const char **)av;
 
+       /*
+        * Always open file descriptors 0/1/2 to avoid clobbering files
+        * in die().  It also avoids messing up when the pipes are dup'ed
+        * onto stdin/stdout/stderr in the child processes we spawn.
+        */
+       sanitize_stdfds();
+
        argv[0] = git_extract_argv0_path(argv[0]);
 
        return cmd_main(argc, argv);

diff --git a/daemon.c b/daemon.c
index f2bc7f43f61e4c13125f00c6fa92db43590b25fc..981338414ed7b0c1a0d32d6f3dea38088677d6ed 100644 (file)
--- a/daemon.c
+++ b/daemon.c
@@ -1364,8 +1364,7 @@ int cmd_main(int argc, const char **argv)
        if (detach) {
                if (daemonize())
                        die("--detach not supported on this platform");
-       } else
-               sanitize_stdfds();
+       }
 
        if (pid_file)
                write_file(pid_file, "%"PRIuMAX, (uintmax_t) getpid());

diff --git a/git.c b/git.c
index 3b4e12d7c68812301c10b884a87762b26f1bd43f..b65083ca9779cb5939309a13581ecf000dc4b196 100644 (file)
--- a/git.c
+++ b/git.c
@@ -639,13 +639,6 @@ int cmd_main(int argc, const char **argv)
        if (!cmd)
                cmd = "git-help";
 
-       /*
-        * Always open file descriptors 0/1/2 to avoid clobbering files
-        * in die().  It also avoids messing up when the pipes are dup'ed
-        * onto stdin/stdout/stderr in the child processes we spawn.
-        */
-       sanitize_stdfds();
-
        restore_sigpipe_to_default();
 
        git_setup_gettext();

diff --git a/shell.c b/shell.c
index ca00807d7ec0c2b20c24cb9baefc30e378db6cef..5e70acb9a6c8bd60be59854598bb9f1fb60fb643 100644 (file)
--- a/shell.c
+++ b/shell.c
@@ -147,13 +147,6 @@ int cmd_main(int argc, const char **argv)
 
        git_setup_gettext();
 
-       /*
-        * Always open file descriptors 0/1/2 to avoid clobbering files
-        * in die().  It also avoids messing up when the pipes are dup'ed
-        * onto stdin/stdout/stderr in the child processes we spawn.
-        */
-       sanitize_stdfds();
-
        /*
         * Special hack to pretend to be a CVS server
         */