Close all unwanted open file descriptors before executing commands and mail.

There might be file descriptors open by things like pam_systemd that
we do not want to keep open for the child process.

Original idea by: Jakub Jelen <jjelen@redhat.com>

diff --git a/src/do_command.c b/src/do_command.c
index 4ed6bb6178c9771af8c4d77037f61d4e66a8836b..ae3abb7892d98653dfef33c0f18ad1944076a0cc 100644 (file)
--- a/src/do_command.c
+++ b/src/do_command.c
@@ -238,6 +238,12 @@ static int child_process(entry * e, char **jobenv) {
                 */
                {
                        char *shell = env_get("SHELL", jobenv);
+                       int fd, fdmax = getdtablesize();
+
+                       /* close all unwanted open file descriptors */
+                       for(fd = STDERR + 1; fd < fdmax; fd++) {
+                               close(fd);
+                       }
 
 #if DEBUGGING
                        if (DebugFlags & DTEST) {

diff --git a/src/popen.c b/src/popen.c
index aa36ff78465acee236c9f0812efd356a092ac8b6..4efebeed802e48fbf8c4d7c8beaef2a2c9b90b14 100644 (file)
--- a/src/popen.c
+++ b/src/popen.c
@@ -69,6 +69,7 @@ FILE *cron_popen(char *program, const char *type, struct passwd *pw) {
        ssize_t out;
        char buf[PIPE_BUF];
        struct sigaction sa;
+       int fd;
 
 #ifdef __GNUC__
        (void) &iop;    /* Avoid fork clobbering */
@@ -121,6 +122,11 @@ FILE *cron_popen(char *program, const char *type, struct passwd *pw) {
                sa.sa_handler = SIG_DFL;
                sigaction(SIGPIPE, &sa, NULL);
 
+               /* close all unwanted open file descriptors */
+               for (fd = STDERR + 1; fd < fds; fd++) {
+                       close(fd);
+               }
+
                if (cron_change_user_permanently(pw, pw->pw_dir) != 0)
                        _exit(2);