Open a bunch of fds with O_CLOEXEC

Not needed in theory, but could prevent accidental leaks.  ok millert@

2 files changed, 8 insertions, 5 deletions

diff --git a/usr.sbin/cron/atrun.c b/usr.sbin/cron/atrun.c
index bc2e3098bad..0199a0191c8 100644
--- a/usr.sbin/cron/atrun.c
+++ b/usr.sbin/cron/atrun.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: atrun.c,v 1.47 2017/10/23 15:15:22 jca Exp $	*/
+/*	$OpenBSD: atrun.c,v 1.48 2017/10/25 17:08:58 jca Exp $	*/
 
 /*
  * Copyright (c) 2002-2003 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -83,7 +83,8 @@ scan_atjobs(at_db **db, struct timespec *ts)
 	struct dirent *file;
 	struct stat sb;
 
-	if ((dfd = open(_PATH_AT_SPOOL, O_RDONLY|O_DIRECTORY)) == -1) {
+	dfd = open(_PATH_AT_SPOOL, O_RDONLY|O_DIRECTORY|O_CLOEXEC);
+	if (dfd == -1) {
 		syslog(LOG_ERR, "(CRON) OPEN FAILED (%s)", _PATH_AT_SPOOL);
 		return (0);
 	}
@@ -175,7 +176,8 @@ atrun(at_db *db, double batch_maxload, time_t now)
 	if (db == NULL)
 		return;
 
-	if ((dfd = open(_PATH_AT_SPOOL, O_RDONLY|O_DIRECTORY)) == -1) {
+	dfd = open(_PATH_AT_SPOOL, O_RDONLY|O_DIRECTORY|O_CLOEXEC);
+	if (dfd == -1) {
 		syslog(LOG_ERR, "(CRON) OPEN FAILED (%s)", _PATH_AT_SPOOL);
 		return;
 	}
diff --git a/usr.sbin/cron/database.c b/usr.sbin/cron/database.c
index 950c9713d91..7265dfb75bd 100644
--- a/usr.sbin/cron/database.c
+++ b/usr.sbin/cron/database.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: database.c,v 1.35 2017/06/07 23:36:43 millert Exp $	*/
+/*	$OpenBSD: database.c,v 1.36 2017/10/25 17:08:58 jca Exp $	*/
 
 /* Copyright 1988,1990,1993,1994 by Paul Vixie
  * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
@@ -182,7 +182,8 @@ process_crontab(int dfd, const char *uname, const char *fname,
 		goto next_crontab;
 	}
 
-	crontab_fd = openat(dfd, fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW);
+	crontab_fd = openat(dfd, fname,
+	    O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_CLOEXEC);
 	if (crontab_fd < 0) {
 		/* crontab not accessible?
 		 */