|
 |
3131004 |
diff -up openssh-5.3p1/channels.c.cloexec openssh-5.3p1/channels.c
|
|
|
606b55d |
--- openssh-5.3p1/channels.c.cloexec 2010-01-25 17:25:58.000000000 +0100
|
|
|
606b55d |
+++ openssh-5.3p1/channels.c 2010-01-25 17:26:01.000000000 +0100
|
|
 |
9e5c6ec |
@@ -60,6 +60,7 @@
|
|
|
9e5c6ec |
#include <termios.h>
|
|
|
9e5c6ec |
#include <unistd.h>
|
|
|
9e5c6ec |
#include <stdarg.h>
|
|
|
9e5c6ec |
+#include <fcntl.h>
|
|
|
9e5c6ec |
|
|
|
9e5c6ec |
#include "openbsd-compat/sys-queue.h"
|
|
|
9e5c6ec |
#include "xmalloc.h"
|
|
|
9e5c6ec |
@@ -230,6 +231,18 @@ channel_register_fds(Channel *c, int rfd
|
|
|
9e5c6ec |
|
|
|
9e5c6ec |
/* XXX set close-on-exec -markus */
|
|
|
9e5c6ec |
|
|
|
9e5c6ec |
+ if (rfd != -1) {
|
|
|
9e5c6ec |
+ fcntl(rfd, F_SETFD, FD_CLOEXEC);
|
|
|
9e5c6ec |
+ }
|
|
|
9e5c6ec |
+
|
|
|
9e5c6ec |
+ if (wfd != -1 && wfd != rfd) {
|
|
|
9e5c6ec |
+ fcntl(wfd, F_SETFD, FD_CLOEXEC);
|
|
|
9e5c6ec |
+ }
|
|
|
9e5c6ec |
+
|
|
|
9e5c6ec |
+ if (efd != -1 && efd != rfd && efd != wfd) {
|
|
|
9e5c6ec |
+ fcntl(efd, F_SETFD, FD_CLOEXEC);
|
|
|
9e5c6ec |
+ }
|
|
|
9e5c6ec |
+
|
|
|
9e5c6ec |
c->rfd = rfd;
|
|
|
9e5c6ec |
c->wfd = wfd;
|
|
|
9e5c6ec |
c->sock = (rfd == wfd) ? rfd : -1;
|
|
|
3131004 |
diff -up openssh-5.3p1/sshconnect2.c.cloexec openssh-5.3p1/sshconnect2.c
|
|
|
606b55d |
--- openssh-5.3p1/sshconnect2.c.cloexec 2010-01-25 17:25:58.000000000 +0100
|
|
|
606b55d |
+++ openssh-5.3p1/sshconnect2.c 2010-01-25 17:26:01.000000000 +0100
|
|
|
3131004 |
@@ -39,6 +39,7 @@
|
|
|
077dad7 |
#include <stdio.h>
|
|
|
077dad7 |
#include <string.h>
|
|
|
077dad7 |
#include <unistd.h>
|
|
|
077dad7 |
+#include <fcntl.h>
|
|
|
93a4744 |
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
|
|
|
93a4744 |
#include <vis.h>
|
|
|
93a4744 |
#endif
|
|
|
3131004 |
@@ -1512,6 +1513,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
|
|
|
077dad7 |
return -1;
|
|
|
077dad7 |
}
|
|
|
077dad7 |
if (pid == 0) {
|
|
|
077dad7 |
+ fcntl(packet_get_connection_in(), F_SETFD, 0); /* keep the socket on exec */
|
|
|
077dad7 |
permanently_drop_suid(getuid());
|
|
|
077dad7 |
close(from[0]);
|
|
|
077dad7 |
if (dup2(from[1], STDOUT_FILENO) < 0)
|
|
|
3131004 |
diff -up openssh-5.3p1/sshconnect.c.cloexec openssh-5.3p1/sshconnect.c
|
|
|
3131004 |
--- openssh-5.3p1/sshconnect.c.cloexec 2009-06-21 10:53:53.000000000 +0200
|
|
|
606b55d |
+++ openssh-5.3p1/sshconnect.c 2010-01-25 17:26:01.000000000 +0100
|
|
|
2cb0e73 |
@@ -38,6 +38,7 @@
|
|
|
2cb0e73 |
#include <stdlib.h>
|
|
|
2cb0e73 |
#include <string.h>
|
|
|
2cb0e73 |
#include <unistd.h>
|
|
|
2cb0e73 |
+#include <fcntl.h>
|
|
|
2cb0e73 |
|
|
|
2cb0e73 |
#include "xmalloc.h"
|
|
|
2cb0e73 |
#include "key.h"
|
|
|
3131004 |
@@ -191,8 +192,11 @@ ssh_create_socket(int privileged, struct
|
|
|
2cb0e73 |
return sock;
|
|
|
2cb0e73 |
}
|
|
|
2cb0e73 |
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
|
|
|
2cb0e73 |
- if (sock < 0)
|
|
|
2cb0e73 |
+ if (sock < 0) {
|
|
|
2cb0e73 |
error("socket: %.100s", strerror(errno));
|
|
|
2cb0e73 |
+ return -1;
|
|
|
2cb0e73 |
+ }
|
|
|
2cb0e73 |
+ fcntl(sock, F_SETFD, FD_CLOEXEC);
|
|
|
2cb0e73 |
|
|
|
2cb0e73 |
/* Bind the socket to an alternative local IP address */
|
|
|
2cb0e73 |
if (options.bind_address == NULL)
|
|
|
3131004 |
diff -up openssh-5.3p1/sshd.c.cloexec openssh-5.3p1/sshd.c
|
|
|
606b55d |
--- openssh-5.3p1/sshd.c.cloexec 2010-01-25 17:25:55.000000000 +0100
|
|
|
606b55d |
+++ openssh-5.3p1/sshd.c 2010-01-25 18:29:23.000000000 +0100
|
|
|
606b55d |
@@ -1756,6 +1756,10 @@ main(int ac, char **av)
|
|
|
606b55d |
sock_in, sock_out, newsock, startup_pipe, config_s[0]);
|
|
|
606b55d |
}
|
|
|
606b55d |
|
|
|
606b55d |
+ /* set fd cloexec on io/sockets to avoid to forward them to childern */
|
|
|
606b55d |
+ fcntl(sock_out, F_SETFD, FD_CLOEXEC);
|
|
|
606b55d |
+ fcntl(sock_in, F_SETFD, FD_CLOEXEC);
|
|
|
606b55d |
+
|
|
|
606b55d |
/*
|
|
|
606b55d |
* Disable the key regeneration alarm. We will not regenerate the
|
|
|
606b55d |
* key since we are no longer in a position to give it to anyone. We
|