1 files changed, 102 insertions, 0 deletions

diff --git a/debian/patches/close_socket_before_scripts.patch b/debian/patches/close_socket_before_scripts.patch
new file mode 100644
index 0000000..6e00c00
--- /dev/null
+++ b/debian/patches/close_socket_before_scripts.patch
@@ -0,0 +1,102 @@
+--- a/src/openvpn/manage.c
++++ b/src/openvpn/manage.c
+@@ -1499,7 +1499,6 @@ man_new_connection_post (struct management *man, const char *description)
+   struct gc_arena gc = gc_new ();
+
+   set_nonblock (man->connection.sd_cli);
+-  set_cloexec (man->connection.sd_cli);
+
+   man_connection_settings_reset (man);
+
+@@ -1640,7 +1639,6 @@ man_listen (struct management *man)
+        * Set misc socket properties
+        */
+       set_nonblock (man->connection.sd_top);
+-      set_cloexec (man->connection.sd_top);
+
+ #if UNIX_SOCK_SUPPORT
+       if (man->settings.flags & MF_UNIX_SOCK)
+--- a/src/openvpn/socket.c
++++ b/src/openvpn/socket.c
+@@ -771,6 +771,10 @@ create_socket_tcp (struct addrinfo* addrinfo)
+   }
+ #endif
+
++  /* set socket file descriptor to not pass across execs, so that
++     scripts don't have access to it */
++  set_cloexec (sd);
++
+   return sd;
+ }
+
+@@ -815,6 +819,11 @@ create_socket_udp (struct addrinfo* addrinfo, const unsigned int flags)
+         }
+     }
+ #endif
++
++  /* set socket file descriptor to not pass across execs, so that
++     scripts don't have access to it */
++  set_cloexec (sd);
++
+   return sd;
+ }
+
+@@ -968,6 +977,12 @@ socket_do_accept (socket_descriptor_t sd,
+       openvpn_close_socket (new_sd);
+       new_sd = SOCKET_UNDEFINED;
+     }
++  else
++    {
++      /* set socket file descriptor to not pass across execs, so that
++        scripts don't have access to it */
++      set_cloexec (sd);
++    }
+   return new_sd;
+ }
+
+@@ -1617,6 +1632,7 @@ link_socket_init_phase1 (struct link_socket *sock,
+       ASSERT (sock->info.proto != PROTO_TCP_CLIENT);
+       ASSERT (socket_defined (inetd_socket_descriptor));
+       sock->sd = inetd_socket_descriptor;
++      set_cloexec (sock->sd);          /* not created by create_socket*() */
+     }
+   else if (mode != LS_MODE_TCP_ACCEPT_FROM)
+     {
+@@ -1677,13 +1693,6 @@ phase2_set_socket_flags (struct link_socket* sock)
+   /* set socket to non-blocking mode */
+   set_nonblock (sock->sd);
+
+-  /* set socket file descriptor to not pass across execs, so that
+-     scripts don't have access to it */
+-  set_cloexec (sock->sd);
+-
+-  if (socket_defined (sock->ctrl_sd))
+-    set_cloexec (sock->ctrl_sd);
+-
+   /* set Path MTU discovery options on the socket */
+   set_mtu_discover_type (sock->sd, sock->mtu_discover_type, sock->info.af);
+
+@@ -3476,6 +3485,11 @@ create_socket_unix (void)
+
+   if ((sd = socket (PF_UNIX, SOCK_STREAM, 0)) < 0)
+     msg (M_ERR, "Cannot create unix domain socket");
++
++  /* set socket file descriptor to not pass across execs, so that
++     scripts don't have access to it */
++  set_cloexec (sd);
++
+   return sd;
+ }
+
+@@ -3516,6 +3530,12 @@ socket_accept_unix (socket_descriptor_t sd,
+
+   CLEAR (*remote);
+   ret = accept (sd, (struct sockaddr *) remote, &remote_len);
++  if ( ret >= 0 )
++    {
++      /* set socket file descriptor to not pass across execs, so that
++        scripts don't have access to it */
++      set_cloexec (ret);
++    }
+   return ret;
+ }