ctdb/server/ctdb_daemon.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that the socket is unavailable to any child process created by system(). Making it harder for malicious code to set up a command channel, as seen in the exploit for CVE-2015-0240 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Gary Lockyer <gary@catalyst.net.nz> 2017-12-11 09:36:08 +1300
committer: Andrew Bartlett <abartlet@samba.org> 2017-12-18 04:38:20 +0100
commit: 9ccf164550ab139edf123d00f68fd43d500d734c (patch)
tree: 13eb754352225d2e368b0f151dcbf38bd496475f /ctdb
parent: 8b3c58251146d2e982a6c9fdb3828ca65e307a96 (diff)
download: samba-9ccf164550ab139edf123d00f68fd43d500d734c.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index 459dd2932ee..35c1ab639b5 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -949,6 +949,7 @@ static void ctdb_accept_client(struct tevent_context *ev,
 	if (fd == -1) {
 		return;
 	}
+	smb_set_close_on_exec(fd);
 
 	ret = set_blocking(fd, false);
 	if (ret != 0) {
author	Gary Lockyer <gary@catalyst.net.nz>	2017-12-11 09:36:08 +1300
committer	Andrew Bartlett <abartlet@samba.org>	2017-12-18 04:38:20 +0100
commit	9ccf164550ab139edf123d00f68fd43d500d734c (patch)
tree	13eb754352225d2e368b0f151dcbf38bd496475f /ctdb
parent	8b3c58251146d2e982a6c9fdb3828ca65e307a96 (diff)
download	samba-9ccf164550ab139edf123d00f68fd43d500d734c.tar.gz