close more file descriptors on exec

Don't inherit the --status and --ifconfig-pool-persist, and on Linux
the epoll(7), file descriptors to scripts and other processes that
may be forked by plugins.

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1359728354-9405-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7312
Signed-off-by: David Sommerseth <davids@redhat.com>

2 files changed, 5 insertions, 0 deletions

diff --git a/src/openvpn/event.c b/src/openvpn/event.c
index 2a13e1c..34a3c45 100644
--- a/src/openvpn/event.c
+++ b/src/openvpn/event.c
@@ -34,6 +34,7 @@
 #include "error.h"
 #include "integer.h"
 #include "event.h"
+#include "fdmisc.h"
 
 #include "memdbg.h"
 
@@ -582,6 +583,8 @@ ep_init (int *maxevents, unsigned int flags)
   if (fd < 0)
     return NULL;
 
+  set_cloexec (fd);
+
   ALLOC_OBJ_CLEAR (eps, struct ep_set);
 
   /* set dispatch functions */
diff --git a/src/openvpn/status.c b/src/openvpn/status.c
index 5f9ab9e..b7ff484 100644
--- a/src/openvpn/status.c
+++ b/src/openvpn/status.c
@@ -33,6 +33,7 @@
 #include "status.h"
 #include "perf.h"
 #include "misc.h"
+#include "fdmisc.h"
 
 #include "memdbg.h"
 
@@ -98,6 +99,7 @@ status_open (const char *filename,
 	  if (so->fd >= 0)
 	    {
 	      so->filename = string_alloc (filename, NULL);
+             set_cloexec (so->fd);
 
 	      /* allocate read buffer */
 	      if (so->flags & STATUS_OUTPUT_READ)