Description: Set socket's FD_CLOEXEC flag before calling up script Moving the set_cloexec() call from link_socket_init_phase2() to link_socket_init_phase1(). Author: Julien Cristau Bug-Debian: http://bugs.debian.org/367716 Index: openvpn/src/openvpn/socket.c =================================================================== --- openvpn.orig/src/openvpn/socket.c 2015-07-01 14:10:06.116131868 +0200 +++ openvpn/src/openvpn/socket.c 2015-07-01 14:10:06.112131911 +0200 @@ -1494,6 +1494,10 @@ resolve_bind_local (sock); resolve_remote (sock, 1, NULL, NULL); } + + /* set socket file descriptor to not pass across execs, so that + scripts don't have access to it */ + set_cloexec (sock->sd); } /* finalize socket initialization */ @@ -1724,10 +1728,6 @@ /* set socket to non-blocking mode */ set_nonblock (sock->sd); - /* set socket file descriptor to not pass across execs, so that - scripts don't have access to it */ - set_cloexec (sock->sd); - #ifdef ENABLE_SOCKS if (socket_defined (sock->ctrl_sd)) set_cloexec (sock->ctrl_sd);