close more file descriptors on exec

Don't inherit the --status and --ifconfig-pool-persist, and on Linux
the epoll(7), file descriptors to scripts and other processes that
may be forked by plugins.

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1359728354-9405-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7312
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 09ee4192b1d16bbd7c3c138cc2d46760a11797bf)

diff --git a/src/openvpn/event.c b/src/openvpn/event.c
index 2a13e1cfc99d03ae8c49c4b809a4a3539d64a0ee..34a3c451ff7915f39d6296556b7717761a45b7e0 100644 (file)
--- a/src/openvpn/event.c
+++ b/src/openvpn/event.c
@@ -34,6 +34,7 @@
 #include "error.h"
 #include "integer.h"
 #include "event.h"
+#include "fdmisc.h"
 
 #include "memdbg.h"
 
@@ -582,6 +583,8 @@ ep_init (int *maxevents, unsigned int flags)
   if (fd < 0)
     return NULL;
 
+  set_cloexec (fd);
+
   ALLOC_OBJ_CLEAR (eps, struct ep_set);
 
   /* set dispatch functions */

diff --git a/src/openvpn/status.c b/src/openvpn/status.c
index 5f9ab9eed66fd05adc627d9854baec4f3ea9e18c..b7ff484346b47b32b9dc8e8bce082db265e42fa0 100644 (file)
--- a/src/openvpn/status.c
+++ b/src/openvpn/status.c
@@ -33,6 +33,7 @@
 #include "status.h"
 #include "perf.h"
 #include "misc.h"
+#include "fdmisc.h"
 
 #include "memdbg.h"
 
@@ -98,6 +99,7 @@ status_open (const char *filename,
          if (so->fd >= 0)
            {
              so->filename = string_alloc (filename, NULL);
+             set_cloexec (so->fd);
 
              /* allocate read buffer */
              if (so->flags & STATUS_OUTPUT_READ)