source3/winbindd/winbindd.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that the socket is unavailable to any child process created by system(). Making it harder for malicious code to set up a command channel, as seen in the exploit for CVE-2015-0240 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Gary Lockyer <gary@catalyst.net.nz> 2017-12-11 09:58:59 +1300
committer: Andrew Bartlett <abartlet@samba.org> 2017-12-18 04:38:20 +0100
commit: 242aacb0e25c606ba1d003fb37e41d0b1b8c8e96 (patch)
tree: fa028ebe36791b19eff7dc0c466a9fb5f8ad035f
parent: 562ac9a9559802b64cb8b2990a8172444040a1c8 (diff)
download: samba-242aacb0e25c606ba1d003fb37e41d0b1b8c8e96.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 23e8a5ede5e..fc7c1691873 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -874,6 +874,7 @@ static void new_connection(int listen_sock, bool privileged)
 		}
 		return;
 	}
+	smb_set_close_on_exec(sock);
 
 	DEBUG(6,("accepted socket %d\n", sock));
author	Gary Lockyer <gary@catalyst.net.nz>	2017-12-11 09:58:59 +1300
committer	Andrew Bartlett <abartlet@samba.org>	2017-12-18 04:38:20 +0100
commit	242aacb0e25c606ba1d003fb37e41d0b1b8c8e96 (patch)
tree	fa028ebe36791b19eff7dc0c466a9fb5f8ad035f
parent	562ac9a9559802b64cb8b2990a8172444040a1c8 (diff)
download	samba-242aacb0e25c606ba1d003fb37e41d0b1b8c8e96.tar.gz