commit 90f2e0047cdf7d959731d451b1d00ba8df503ad5
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Tue Apr 22 16:18:42 2025 UTC

set close-on-exec flag on more files used during gotd reload

commit - 9a64f34b64fc72344bc88edeb84e88075896744f
commit + 90f2e0047cdf7d959731d451b1d00ba8df503ad5
blob - 5e3ef4edb1a17a422e0e5534872a5b3418fe5281
blob + 122a287f90c126dc044b6bf48544f73244e0188c
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -757,6 +757,10 @@ reload_gotd(struct gotd_client *client, struct imsg *i
 	gotd_reload_conf_fd = imsg_get_fd(imsg);
 	if (gotd_reload_conf_fd == -1) {
 		err = got_error(GOT_ERR_PRIVSEP_NO_FD);
+		goto done;
+	}
+	if (fcntl(gotd_reload_conf_fd, F_SETFD, FD_CLOEXEC) == -1) {
+		err = got_error_from_errno("fcntl");
 		goto done;
 	}
 
@@ -886,6 +890,11 @@ recv_reload_secrets(struct imsg *imsg)
 	gotd_reload_secrets_fd = imsg_get_fd(imsg);
 	if (gotd_reload_secrets_fd == -1)
 		return NULL; /* no secrets being used */
+
+	if (fcntl(gotd_reload_secrets_fd, F_SETFD, FD_CLOEXEC) == -1) {
+		err = got_error_from_errno("fcntl");
+		goto done;
+	}
 
 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
 	if (datalen == 0) {
@@ -3668,6 +3677,9 @@ main(int argc, char **argv)
 				gotd_reload_conf_fd = imsg_get_fd(&imsg);
 				if (gotd_reload_conf_fd != -1)
 					break;
+				if (fcntl(gotd_reload_conf_fd,
+				    F_SETFD, FD_CLOEXEC) == -1)
+					error = got_error_from_errno("fcntl");
 				error = got_error(GOT_ERR_PRIVSEP_NO_FD);
 				break;
 			}