diff options
| author | Ken Raeburn <raeburn@mit.edu> | 2007-10-22 19:18:53 +0000 |
|---|---|---|
| committer | Ken Raeburn <raeburn@mit.edu> | 2007-10-22 19:18:53 +0000 |
| commit | 3d8fa6bb4012296a53fe04e486a9157a2963b644 (patch) | |
| tree | 7c0f5dcc658ebd75d758024a21097af95d616e05 /src/include | |
| parent | 70e8d7a6c50bbdb547150eba0abdef46d93d5b71 (diff) | |
| download | krb5-3d8fa6bb4012296a53fe04e486a9157a2963b644.tar.gz krb5-3d8fa6bb4012296a53fe04e486a9157a2963b644.tar.xz krb5-3d8fa6bb4012296a53fe04e486a9157a2963b644.zip | |
Set close-on-exec flag in most places where file descriptors are
opened in our libraries (in case another application thread spawns a
new process) and in the KDC programs (in case a plugin library spawns
a new process).
Checked calls to: open fopen THREEPARAMOPEN mkstemp socket accept dup
dup2 pipe. In: util lib plugins kdc kadmin/server krb524.
The various programs are less critical than the libraries, as any
well-written plugin that spawns a new process should close all file
descriptors it doesn't need to communicate with the new process.
This approach also isn't bulletproof, as the call to set the
close-on-exec flag is necessarily a separate call from creating the
file descriptor, and the fork call could happen in between them. So
plugins should be careful regardless of this patch; it will only
reduce the window of potential lossage should a plugin be poorly
written. (AFAIK there are currently no plugins that spawn processes
where this would be a problem.)
Update dependencies.
ticket: 5561
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20143 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/k5-platform.h | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h index 141ea94f78..a143ab52a6 100644 --- a/src/include/k5-platform.h +++ b/src/include/k5-platform.h @@ -47,6 +47,8 @@ #include <limits.h> #include <stdlib.h> #include <stdio.h> +#include <fcntl.h> +#include <errno.h> #ifdef _WIN32 #define CAN_COPY_VA_LIST @@ -752,6 +754,52 @@ load_64_n (const unsigned char *p) (*(OUT) = getpwuid(UID), *(OUT) == NULL ? -1 : 0) #endif +/* Ensure, if possible, that the indicated file descriptor won't be + kept open if we exec another process (e.g., launching a ccapi + server). If we don't know how to do it... well, just go about our + business. Probably most callers won't check the return status + anyways. */ + +#if 0 +static inline int +set_cloexec_fd(int fd) +{ +#if defined(F_SETFD) +# ifdef FD_CLOEXEC + if (fcntl(fd, F_SETFD, FD_CLOEXEC) != 0) + return errno; +# else + if (fcntl(fd, F_SETFD, 1) != 0) + return errno; +# endif +#endif + return 0; +} + +static inline int +set_cloexec_file(FILE *f) +{ + return set_cloexec_fd(fileno(f)); +} +#else +/* Macros make the Sun compiler happier, and all variants of this do a + single evaluation of the argument, and fcntl and fileno should + produce reasonable error messages on type mismatches, on any system + with F_SETFD. */ +#ifdef F_SETFD +# ifdef FD_CLOEXEC +# define set_cloexec_fd(FD) (fcntl((FD), F_SETFD, FD_CLOEXEC) ? errno : 0) +# else +# define set_cloexec_fd(FD) (fcntl((FD), F_SETFD, 1) ? errno : 0) +# endif +#else +# define set_cloexec_fd(FD) ((FD),0) +#endif +#define set_cloexec_file(F) set_cloexec_fd(fileno(F)) +#endif + + + /* Since the original ANSI C spec left it undefined whether or how you could copy around a va_list, C 99 added va_copy. For old implementations, let's do our best to fake it. @@ -892,4 +940,6 @@ extern int krb5int_mkstemp(char *); #define mkstemp krb5int_mkstemp #endif + + #endif /* K5_PLATFORM_H */ |