openssh/openssh-5.1p1-cloexec.patch
Tomáš Mráz 9e5c6ecd02 - set FD_CLOEXEC on channel sockets (#475866)
- adjust summary
- adjust nss-keys patch so it is applicable without selinux patches
    (#470859)
2008-12-11 21:48:41 +00:00

74 lines
2.1 KiB
Diff

diff -up openssh-5.1p1/channels.c.cloexec openssh-5.1p1/channels.c
--- openssh-5.1p1/channels.c.cloexec 2008-12-11 22:24:49.000000000 +0100
+++ openssh-5.1p1/channels.c 2008-12-11 22:29:52.000000000 +0100
@@ -60,6 +60,7 @@
#include <termios.h>
#include <unistd.h>
#include <stdarg.h>
+#include <fcntl.h>
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -230,6 +231,18 @@ channel_register_fds(Channel *c, int rfd
/* XXX set close-on-exec -markus */
+ if (rfd != -1) {
+ fcntl(rfd, F_SETFD, FD_CLOEXEC);
+ }
+
+ if (wfd != -1 && wfd != rfd) {
+ fcntl(wfd, F_SETFD, FD_CLOEXEC);
+ }
+
+ if (efd != -1 && efd != rfd && efd != wfd) {
+ fcntl(efd, F_SETFD, FD_CLOEXEC);
+ }
+
c->rfd = rfd;
c->wfd = wfd;
c->sock = (rfd == wfd) ? rfd : -1;
diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
--- openssh-5.1p1/sshconnect2.c.cloexec 2008-12-11 22:24:49.000000000 +0100
+++ openssh-5.1p1/sshconnect2.c 2008-12-11 22:24:49.000000000 +0100
@@ -38,6 +38,7 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
+#include <fcntl.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
#include <vis.h>
#endif
@@ -1267,6 +1268,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
return -1;
}
if (pid == 0) {
+ fcntl(packet_get_connection_in(), F_SETFD, 0); /* keep the socket on exec */
permanently_drop_suid(getuid());
close(from[0]);
if (dup2(from[1], STDOUT_FILENO) < 0)
diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
--- openssh-5.1p1/sshconnect.c.cloexec 2008-07-02 14:34:30.000000000 +0200
+++ openssh-5.1p1/sshconnect.c 2008-12-11 22:24:49.000000000 +0100
@@ -38,6 +38,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <fcntl.h>
#include "xmalloc.h"
#include "key.h"
@@ -194,8 +195,11 @@ ssh_create_socket(int privileged, struct
return sock;
}
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
- if (sock < 0)
+ if (sock < 0) {
error("socket: %.100s", strerror(errno));
+ return -1;
+ }
+ fcntl(sock, F_SETFD, FD_CLOEXEC);
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL)