diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2009-04-17 09:58:41 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2009-04-17 09:58:41 +0000 |
| commit | 88523db6359488673f27b8a142f053c03e2b0bbe (patch) | |
| tree | 50fd22e41d676cd65fb0b4602a046f4a86cae570 | |
| parent | 0e6da7e0fe2efb9f3f3cd1483f7a65e6649dc98f (diff) | |
close filedescriptors with closefrom(STDERR_FILENO + 1) before executing
the script to prevent access to internal processes.
From jacekm@
| -rw-r--r-- | usr.sbin/relayd/check_script.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/usr.sbin/relayd/check_script.c b/usr.sbin/relayd/check_script.c index f11cb13f5eb..76c90ab4114 100644 --- a/usr.sbin/relayd/check_script.c +++ b/usr.sbin/relayd/check_script.c @@ -1,4 +1,4 @@ -/* $OpenBSD: check_script.c,v 1.7 2008/12/05 16:37:55 reyk Exp $ */ +/* $OpenBSD: check_script.c,v 1.8 2009/04/17 09:58:40 reyk Exp $ */ /* * Copyright (c) 2007, 2008 Reyk Floeter <reyk@openbsd.org> @@ -127,6 +127,13 @@ script_exec(struct relayd *env, struct ctl_script *scr) setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) fatal("script_exec: can't drop privileges"); + /* + * close fds before executing an external program, to + * prevent access to internal fds, eg. IMSG connections + * of internal processes. + */ + closefrom(STDERR_FILENO + 1); + execlp(file, file, arg, (char *)NULL); _exit(0); break; |