From 3a504d48c39a9dda97b3d02d63c247329631d168 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Mon, 11 Dec 2017 09:39:43 +1300 Subject: source3/rpc_server/rpc_server.c set socket close on exec Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that the socket is unavailable to any child process created by system(). Making it harder for malicious code to set up a command channel, as seen in the exploit for CVE-2015-0240 Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett --- source3/rpc_server/rpc_server.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/rpc_server/rpc_server.c') diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c index e15cd205cdc..94335b3ea53 100644 --- a/source3/rpc_server/rpc_server.c +++ b/source3/rpc_server/rpc_server.c @@ -216,6 +216,7 @@ static void named_pipe_listener(struct tevent_context *ev, } return; } + smb_set_close_on_exec(sd); DEBUG(6, ("Accepted socket %d\n", sd)); @@ -722,6 +723,7 @@ static void dcerpc_ncacn_tcpip_listener(struct tevent_context *ev, } return; } + smb_set_close_on_exec(s); rc = tsocket_address_bsd_from_sockaddr(state, (struct sockaddr *)(void *) &addr, @@ -892,6 +894,7 @@ static void dcerpc_ncalrpc_listener(struct tevent_context *ev, } return; } + smb_set_close_on_exec(sd); rc = tsocket_address_bsd_from_sockaddr(state, addr, len, -- cgit v1.2.1