From 11fc34e1c519e73dbde252cb1bd3886be6b9366f Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun, 11 Nov 2012 16:40:41 +0000
Subject: set FD_CLOEXEC in NSS and PAM modules to ensure that nslcd file
 descriptor is not leaked to child processes

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1821 ef36b2f9-881f-0410-afb5-c4e39611909c
---
 common/nslcd-prot.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/common/nslcd-prot.c b/common/nslcd-prot.c
index 3bb3e0c..66c10af 100644
--- a/common/nslcd-prot.c
+++ b/common/nslcd-prot.c
@@ -33,6 +33,7 @@
 #include <sys/stat.h>
 #include <errno.h>
 #include <string.h>
+#include <fcntl.h>
 
 #include "nslcd.h"
 #include "nslcd-prot.h"
@@ -62,6 +63,7 @@ TFILE *nslcd_client_open()
   int sock;
   struct sockaddr_un addr;
   TFILE *fp;
+  int flags;
   /* create a socket */
   if ( (sock=socket(PF_UNIX,SOCK_STREAM,0))<0 )
     return NULL;
@@ -70,6 +72,10 @@ TFILE *nslcd_client_open()
   addr.sun_family=AF_UNIX;
   strncpy(addr.sun_path,NSLCD_SOCKET,sizeof(addr.sun_path));
   addr.sun_path[sizeof(addr.sun_path)-1]='\0';
+  /* close the file descriptor on exec (ignore errors) */
+  flags=fcntl(sock,F_GETFL);
+  if (flags>=0)
+    (void)fcntl(sock,F_SETFD,flags|FD_CLOEXEC);
   /* connect to the socket */
   if (connect(sock,(struct sockaddr *)&addr,SUN_LEN(&addr))<0)
   {
-- 
cgit v1.2.3