diff options
Diffstat (limited to 'debian/patches/close_socket_before_scripts.patch')
-rw-r--r-- | debian/patches/close_socket_before_scripts.patch | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/debian/patches/close_socket_before_scripts.patch b/debian/patches/close_socket_before_scripts.patch new file mode 100644 index 0000000..6e00c00 --- /dev/null +++ b/debian/patches/close_socket_before_scripts.patch @@ -0,0 +1,102 @@ +--- a/src/openvpn/manage.c ++++ b/src/openvpn/manage.c +@@ -1499,7 +1499,6 @@ man_new_connection_post (struct management *man, const char *description) + struct gc_arena gc = gc_new (); + + set_nonblock (man->connection.sd_cli); +- set_cloexec (man->connection.sd_cli); + + man_connection_settings_reset (man); + +@@ -1640,7 +1639,6 @@ man_listen (struct management *man) + * Set misc socket properties + */ + set_nonblock (man->connection.sd_top); +- set_cloexec (man->connection.sd_top); + + #if UNIX_SOCK_SUPPORT + if (man->settings.flags & MF_UNIX_SOCK) +--- a/src/openvpn/socket.c ++++ b/src/openvpn/socket.c +@@ -771,6 +771,10 @@ create_socket_tcp (struct addrinfo* addrinfo) + } + #endif + ++ /* set socket file descriptor to not pass across execs, so that ++ scripts don't have access to it */ ++ set_cloexec (sd); ++ + return sd; + } + +@@ -815,6 +819,11 @@ create_socket_udp (struct addrinfo* addrinfo, const unsigned int flags) + } + } + #endif ++ ++ /* set socket file descriptor to not pass across execs, so that ++ scripts don't have access to it */ ++ set_cloexec (sd); ++ + return sd; + } + +@@ -968,6 +977,12 @@ socket_do_accept (socket_descriptor_t sd, + openvpn_close_socket (new_sd); + new_sd = SOCKET_UNDEFINED; + } ++ else ++ { ++ /* set socket file descriptor to not pass across execs, so that ++ scripts don't have access to it */ ++ set_cloexec (sd); ++ } + return new_sd; + } + +@@ -1617,6 +1632,7 @@ link_socket_init_phase1 (struct link_socket *sock, + ASSERT (sock->info.proto != PROTO_TCP_CLIENT); + ASSERT (socket_defined (inetd_socket_descriptor)); + sock->sd = inetd_socket_descriptor; ++ set_cloexec (sock->sd); /* not created by create_socket*() */ + } + else if (mode != LS_MODE_TCP_ACCEPT_FROM) + { +@@ -1677,13 +1693,6 @@ phase2_set_socket_flags (struct link_socket* sock) + /* set socket to non-blocking mode */ + set_nonblock (sock->sd); + +- /* set socket file descriptor to not pass across execs, so that +- scripts don't have access to it */ +- set_cloexec (sock->sd); +- +- if (socket_defined (sock->ctrl_sd)) +- set_cloexec (sock->ctrl_sd); +- + /* set Path MTU discovery options on the socket */ + set_mtu_discover_type (sock->sd, sock->mtu_discover_type, sock->info.af); + +@@ -3476,6 +3485,11 @@ create_socket_unix (void) + + if ((sd = socket (PF_UNIX, SOCK_STREAM, 0)) < 0) + msg (M_ERR, "Cannot create unix domain socket"); ++ ++ /* set socket file descriptor to not pass across execs, so that ++ scripts don't have access to it */ ++ set_cloexec (sd); ++ + return sd; + } + +@@ -3516,6 +3530,12 @@ socket_accept_unix (socket_descriptor_t sd, + + CLEAR (*remote); + ret = accept (sd, (struct sockaddr *) remote, &remote_len); ++ if ( ret >= 0 ) ++ { ++ /* set socket file descriptor to not pass across execs, so that ++ scripts don't have access to it */ ++ set_cloexec (ret); ++ } + return ret; + } |