1 diff -Naur pppd.orig/eap.c pppd/eap.c
2 --- pppd.orig/eap.c 2023-03-25 05:38:30.000000000 +0100
3 +++ pppd/eap.c 2023-06-30 12:58:07.984676045 +0200
6 if ((path = name_of_pn_file()) == NULL)
8 - fd = open(path, modebits, S_IRUSR | S_IWUSR);
9 + fd = open(path, modebits, S_IRUSR | S_IWUSR | O_CLOEXEC);
13 diff -Naur pppd.orig/main.c pppd/main.c
14 --- pppd.orig/main.c 2023-03-25 05:38:30.000000000 +0100
15 +++ pppd/main.c 2023-06-30 13:00:15.155195676 +0200
19 /* Make sure fds 0, 1, 2 are open to somewhere. */
20 - fd_devnull = open(PPP_DEVNULL, O_RDWR);
21 + fd_devnull = open(PPP_DEVNULL, O_RDWR | O_CLOEXEC);
23 fatal("Couldn't open %s: %m", PPP_DEVNULL);
24 while (fd_devnull <= 2) {
25 diff -Naur pppd.orig/options.c pppd/options.c
26 --- pppd.orig/options.c 2023-06-30 12:42:19.262593140 +0200
27 +++ pppd/options.c 2023-06-30 13:01:58.388323345 +0200
29 ppp_option_error("unable to drop permissions to open %s: %m", *argv);
32 - fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644);
33 + fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL | O_CLOEXEC, 0644);
34 if (fd < 0 && errno == EEXIST)
35 - fd = open(*argv, O_WRONLY | O_APPEND);
36 + fd = open(*argv, O_WRONLY | O_APPEND | O_CLOEXEC);
38 if (!privileged_option && seteuid(euid) == -1)
39 fatal("unable to regain privileges: %m");
40 diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c
41 --- pppd.orig/sys-linux.c 2023-06-30 12:43:20.634453475 +0200
42 +++ pppd/sys-linux.c 2023-06-30 13:11:25.715511251 +0200
46 dbglog("using channel %d", chindex);
47 - fd = open("/dev/ppp", O_RDWR);
48 + fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
50 error("Couldn't reopen /dev/ppp: %m");
53 dbglog("in make_ppp_unit, already had /dev/ppp open?");
56 - ppp_dev_fd = open("/dev/ppp", O_RDWR);
57 + ppp_dev_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
59 fatal("Couldn't open /dev/ppp: %m");
60 flags = fcntl(ppp_dev_fd, F_GETFL);
62 if (!new_style_driver)
65 - master_fd = open("/dev/ppp", O_RDWR);
66 + master_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
68 fatal("Couldn't open /dev/ppp: %m");
69 if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) {
72 forw_path = path_to_procfs("/sys/net/ipv4/ip_forward");
74 - int fd = open(forw_path, O_WRONLY);
75 + int fd = open(forw_path, O_WRONLY | O_CLOEXEC);
77 if (write(fd, "1", 1) != 1)
78 error("Couldn't enable IP forwarding: %m");
80 sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch);
81 kernel_version = KVERSION(osmaj, osmin, ospatch);
83 - fd = open("/dev/ppp", O_RDWR);
84 + fd = open("/dev/ppp", O_RDWR | O_CLOEXEC);
90 updwtmp(_PATH_WTMP, &ut);
92 - wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY);
93 + wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY|O_CLOEXEC);
100 path = path_to_procfs("/sys/net/ipv4/ip_dynaddr");
101 - if (path != 0 && (fd = open(path, O_WRONLY)) >= 0) {
102 + if (path != 0 && (fd = open(path, O_WRONLY | O_CLOEXEC)) >= 0) {
103 if (write(fd, "1", 1) != 1)
104 error("Couldn't enable dynamic IP addressing: %m");
106 @@ -3534,7 +3534,7 @@
108 * Try the unix98 way first.
110 - mfd = open("/dev/ptmx", O_RDWR);
111 + mfd = open("/dev/ptmx", O_RDWR | O_CLOEXEC);
114 if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) {
115 @@ -3545,7 +3545,8 @@
116 if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0)
117 warn("Couldn't unlock pty slave %s: %m", pty_name);
119 - if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0)
121 + if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0)
123 warn("Couldn't open pty slave %s: %m", pty_name);
125 @@ -3559,10 +3560,10 @@
126 for (i = 0; i < 64; ++i) {
127 slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x",
128 'p' + i / 16, i % 16);
129 - mfd = open(pty_name, O_RDWR, 0);
130 + mfd = open(pty_name, O_RDWR | O_CLOEXEC, 0);
133 - sfd = open(pty_name, O_RDWR | O_NOCTTY, 0);
134 + sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0);
136 ret = fchown(sfd, uid, -1);
138 diff -Naur pppd.orig/tdb.c pppd/tdb.c
139 --- pppd.orig/tdb.c 2021-07-23 06:41:07.000000000 +0200
140 +++ pppd/tdb.c 2023-06-30 13:12:55.034900600 +0200
141 @@ -1728,7 +1728,7 @@
145 - if ((tdb->fd = open(name, open_flags, mode)) == -1) {
146 + if ((tdb->fd = open(name, open_flags | O_CLOEXEC, mode)) == -1) {
147 TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n",
148 name, strerror(errno)));
149 goto fail; /* errno set by open(2) */
150 @@ -1971,7 +1971,7 @@
152 if (close(tdb->fd) != 0)
153 TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n"));
154 - tdb->fd = open(tdb->name, tdb->open_flags & ~(O_CREAT|O_TRUNC), 0);
155 + tdb->fd = open(tdb->name, (tdb->open_flags & ~(O_CREAT|O_TRUNC)) | O_CLOEXEC, 0);
157 TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno)));
159 diff -Naur pppd.orig/tty.c pppd/tty.c
160 --- pppd.orig/tty.c 2023-03-25 05:38:30.000000000 +0100
161 +++ pppd/tty.c 2023-06-30 13:14:06.450418113 +0200
163 ppp_set_status(EXIT_OPEN_FAILED);
166 - real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0);
167 + real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR | O_CLOEXEC, 0);
169 if (prio < OPRIO_ROOT && seteuid(0) == -1)
170 fatal("Unable to regain privileges");
172 if (connector == NULL && modem && devnam[0] != 0) {
175 - if ((i = open(devnam, O_RDWR)) >= 0)
176 + if ((i = open(devnam, O_RDWR | O_CLOEXEC)) >= 0)
178 if (errno != EINTR) {
179 error("Failed to reopen %s: %m", devnam);
180 diff -Naur pppd.orig/utils.c pppd/utils.c
181 --- pppd.orig/utils.c 2022-12-30 02:12:39.000000000 +0100
182 +++ pppd/utils.c 2023-06-30 13:15:47.860182369 +0200
183 @@ -843,14 +843,14 @@
184 slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDIR, dev);
187 - while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) {
188 + while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR | O_CLOEXEC, 0644)) < 0) {
189 if (errno != EEXIST) {
190 error("Can't create lock file %s: %m", lock_file);
194 /* Read the lock file to find out who has the device locked. */
195 - fd = open(lock_file, O_RDONLY, 0);
196 + fd = open(lock_file, O_RDONLY | O_CLOEXEC, 0);
198 if (errno == ENOENT) /* This is just a timing problem. */
202 if (lock_file[0] == 0)
204 - fd = open(lock_file, O_WRONLY, 0);
205 + fd = open(lock_file, O_WRONLY | O_CLOEXEC, 0);
207 error("Couldn't reopen lock file %s: %m", lock_file);