From 88523db6359488673f27b8a142f053c03e2b0bbe Mon Sep 17 00:00:00 2001
From: Reyk Floeter <reyk@cvs.openbsd.org>
Date: Fri, 17 Apr 2009 09:58:41 +0000
Subject: close filedescriptors with closefrom(STDERR_FILENO + 1) before
 executing the script to prevent access to internal processes.

From jacekm@
---
 usr.sbin/relayd/check_script.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/relayd/check_script.c b/usr.sbin/relayd/check_script.c
index f11cb13f5eb..76c90ab4114 100644
--- a/usr.sbin/relayd/check_script.c
+++ b/usr.sbin/relayd/check_script.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: check_script.c,v 1.7 2008/12/05 16:37:55 reyk Exp $	*/
+/*	$OpenBSD: check_script.c,v 1.8 2009/04/17 09:58:40 reyk Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@openbsd.org>
@@ -127,6 +127,13 @@ script_exec(struct relayd *env, struct ctl_script *scr)
 		    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
 			fatal("script_exec: can't drop privileges");
 
+		/*
+		 * close fds before executing an external program, to
+		 * prevent access to internal fds, eg. IMSG connections
+		 * of internal processes.
+		 */
+		closefrom(STDERR_FILENO + 1);
+
 		execlp(file, file, arg, (char *)NULL);
 		_exit(0);
 		break;
-- 
cgit v1.2.3