Set close-on-exec flag in most places where file descriptors are

opened in our libraries (in case another application thread spawns a
new process) and in the KDC programs (in case a plugin library spawns
a new process).

Checked calls to: open fopen THREEPARAMOPEN mkstemp socket accept dup
dup2 pipe.  In: util lib plugins kdc kadmin/server krb524.

The various programs are less critical than the libraries, as any
well-written plugin that spawns a new process should close all file
descriptors it doesn't need to communicate with the new process.

This approach also isn't bulletproof, as the call to set the
close-on-exec flag is necessarily a separate call from creating the
file descriptor, and the fork call could happen in between them.  So
plugins should be careful regardless of this patch; it will only
reduce the window of potential lossage should a plugin be poorly
written.  (AFAIK there are currently no plugins that spawn processes
where this would be a problem.)

Update dependencies.

ticket: 5561

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20143 dc483132-0cff-0310-8789-dd5450dbe970

8 files changed, 19 insertions, 3 deletions

diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index 9abf93f..6206149 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -1252,6 +1252,7 @@ krb5_fcc_open_file (krb5_context context, krb5_ccache id, int mode)
 	    return krb5_fcc_interpret (context, errno);
 	}
     }
+    set_cloexec_fd(f);
 
     data->mode = mode;
 
@@ -1560,6 +1561,7 @@ krb5_fcc_destroy(krb5_context context, krb5_ccache id)
 	      kret = krb5_fcc_interpret(context, errno);
 	      goto cleanup;
 	  }
+	  set_cloexec_fd(ret);
 	  data->file = ret;
      }
      else
@@ -1980,6 +1982,7 @@ krb5_fcc_generate_new (krb5_context context, krb5_ccache *id)
          k5_mutex_unlock(&krb5int_cc_file_mutex);
 	 return krb5_fcc_interpret(context, errno);
      }
+     set_cloexec_fd(ret);
 
      /* Allocate memory */
      data = (krb5_pointer) malloc(sizeof(krb5_fcc_data));
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index e6e04e3..1baa800 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -1156,6 +1156,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
 	    }
 	}
     }
+    set_cloexec_file(KTFILEP(id));
     if ((kerror = krb5_lock_file(context, fileno(KTFILEP(id)), mode))) {
 	(void) fclose(KTFILEP(id));
 	KTFILEP(id) = 0;
diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c
index 5a80f32..e3dd009 100644
--- a/src/lib/krb5/keytab/kt_srvtab.c
+++ b/src/lib/krb5/keytab/kt_srvtab.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/srvtab/kts_resolv.c
  *
- * Copyright 1990,1991,2002 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2002,2007 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -411,6 +411,7 @@ krb5_ktsrvint_open(krb5_context context, krb5_keytab id)
     KTFILEP(id) = fopen(KTFILENAME(id), READ_MODE);
     if (!KTFILEP(id))
 	return errno;
+    set_cloexec_file(KTFILEP(id));
     return 0;
 }
 
diff --git a/src/lib/krb5/os/kuserok.c b/src/lib/krb5/os/kuserok.c
index 1505c82..719faae 100644
--- a/src/lib/krb5/os/kuserok.c
+++ b/src/lib/krb5/os/kuserok.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/os/kuserok.c
  *
- * Copyright 1990,1993 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1993,2007 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -110,6 +110,7 @@ krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser)
 	free(princname);
 	return(FALSE);
     }
+    set_cloexec_file(fp);
     /*
      * For security reasons, the .k5login file must be owned either by
      * the user himself, or by root.  Otherwise, don't grant access.
diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c
index 75953b1..e139ca4 100644
--- a/src/lib/krb5/os/localaddr.c
+++ b/src/lib/krb5/os/localaddr.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/os/localaddr.c
  *
- * Copyright 1990,1991,2000,2001,2002,2004 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2000,2001,2002,2004,2007 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -363,6 +363,7 @@ get_linux_ipv6_addrs ()
 	int i;
 	unsigned int addrbyte[16];
 
+	set_cloexec_file(f);
 	while (fscanf(f,
 		      "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x"
 		      " %2x %2x %2x %2x %20s\n",
@@ -543,6 +544,7 @@ foreach_localaddr (/*@null@*/ void *data,
 	    Tperror ("socket");
 	    continue;
 	}
+	set_cloexec_fd(P.sock);
 
 	P.lifnum.lifn_family = P.af;
 	P.lifnum.lifn_flags = 0;
@@ -718,6 +720,7 @@ foreach_localaddr (/*@null@*/ void *data,
 	    Tperror ("socket");
 	    continue;
 	}
+	set_cloexec_fd(P.sock);
 
 	code = ioctl (P.sock, SIOCGLIFNUM, &P.if_num);
 	if (code) {
@@ -939,6 +942,7 @@ foreach_localaddr (/*@null@*/ void *data,
     s = socket (USE_AF, USE_TYPE, USE_PROTO);
     if (s < 0)
 	return SOCKET_ERRNO;
+    set_cloexec_fd(s);
 
     retval = get_ifreq_array(&buf, &n, s);
     if (retval) {
@@ -1450,6 +1454,7 @@ static struct hostent *local_addr_fallback_kludge()
 	sock = socket(AF_INET, SOCK_DGRAM, 0);
 	if (sock == INVALID_SOCKET)
 		return NULL;
+	set_cloexec_fd(sock);
 
 	/* connect to arbitrary port and address (NOT loopback) */
 	addr.sin_family = AF_INET;
diff --git a/src/lib/krb5/os/prompter.c b/src/lib/krb5/os/prompter.c
index 739c8c7..36803ec 100644
--- a/src/lib/krb5/os/prompter.c
+++ b/src/lib/krb5/os/prompter.c
@@ -60,6 +60,7 @@ krb5_prompter_posix(
     fd = dup(STDIN_FILENO);
     if (fd < 0)
 	return KRB5_LIBOS_CANTREADPWD;
+    set_cloexec_fd(fd);
     fp = fdopen(fd, "r");
     if (fp == NULL)
 	goto cleanup;
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 9992747..050aec5 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -677,6 +677,7 @@ start_connection (struct conn_state *state,
 	dprint("socket: fd %d too high\n", fd);
 	return -1;
     }
+    set_cloexec_fd(fd);
     /* Make it non-blocking.  */
     if (ai->ai_socktype == SOCK_STREAM) {
 	static const int one = 1;
diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c
index 3235728..b76a8dd 100644
--- a/src/lib/krb5/rcache/rc_io.c
+++ b/src/lib/krb5/rcache/rc_io.c
@@ -143,6 +143,7 @@ krb5_rc_io_creat(krb5_context context, krb5_rc_iostuff *d, char **fn)
 	    goto cleanup;
 	}
     }
+    set_cloexec_fd(d->fd);
     retval = krb5_rc_io_write(context, d, (krb5_pointer)&rc_vno,
 			      sizeof(rc_vno));
     if (retval)
@@ -239,6 +240,7 @@ krb5_rc_io_open_internal(krb5_context context, krb5_rc_iostuff *d, char *fn,
 	    goto cleanup;
 	}
     }
+    set_cloexec_fd(d->fd);
 
     do_not_unlink = 0;
     retval = krb5_rc_io_read(context, d, (krb5_pointer) &rc_vno,
@@ -341,6 +343,7 @@ krb5_rc_io_move(krb5_context context, krb5_rc_iostuff *new1,
     (void) krb5_rc_io_close(context, new1);
     new1->fn = fn;
     new1->fd = dup(old->fd);
+    set_cloexec_fd(new1->fd);
     return 0;
 #endif
 }