From 079b975469efb6b80b24d50013ff2bf9572112d8 Mon Sep 17 00:00:00 2001 From: Karol Babioch Date: Thu, 5 Apr 2018 14:20:08 +0200 Subject: [PATCH] Open file descriptors with O_CLOEXEC This opens any file descriptors with the O_CLOEXEC flag, which will make sure that file descriptors won't be leaked into any child process. This was previously an issue due to a forgotten fclose() (#136). --- pam_yubico.c | 2 +- util.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pam_yubico.c b/pam_yubico.c index 10ee6fc..c36ca0e 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -535,7 +535,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) } } - fd = open(userfile, O_RDONLY, 0); + fd = open(userfile, O_RDONLY | O_CLOEXEC, 0); if (fd < 0) { DBG ("Cannot open file: %s (%s)", userfile, strerror(errno)); goto restpriv_out; diff --git a/util.c b/util.c index e6e8095..2112a58 100644 --- a/util.c +++ b/util.c @@ -109,7 +109,7 @@ check_user_token (const char *authfile, struct stat st; FILE *opwfile; - fd = open(authfile, O_RDONLY, 0); + fd = open(authfile, O_RDONLY | O_CLOEXEC, 0); if (fd < 0) { if(verbose) D (debug_file, "Cannot open file: %s (%s)", authfile, strerror(errno));