commit 476374d8eb748fb68a2604fd7155a4cbeb80ccd6
from: Stefan Sperling <stsp@stsp.name>
date: Mon Mar 24 15:55:32 2025 UTC

set close-on-exec flag on more files used during gotd reload

commit - ef5e843f236f129cd9d8cd452e36ba5fbdb961a2
commit + 476374d8eb748fb68a2604fd7155a4cbeb80ccd6
blob - b95e13e77f8c49ca274a99c59c07f8871385d82f
blob + 15dd351361fd1d2375c7a06b7850a4048a918aac
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -728,6 +728,10 @@ reload_gotd(struct gotd_client *client, struct imsg *i
 	gotd_reload_conf_fd = imsg_get_fd(imsg);
 	if (gotd_reload_conf_fd == -1) {
 		err = got_error(GOT_ERR_PRIVSEP_NO_FD);
+		goto done;
+	}
+	if (fcntl(gotd_reload_conf_fd, F_SETFD, FD_CLOEXEC) == -1) {
+		err = got_error_from_errno("fcntl");
 		goto done;
 	}
 
@@ -857,6 +861,11 @@ recv_reload_secrets(struct imsg *imsg)
 	gotd_reload_secrets_fd = imsg_get_fd(imsg);
 	if (gotd_reload_secrets_fd == -1)
 		return NULL; /* no secrets being used */
+
+	if (fcntl(gotd_reload_secrets_fd, F_SETFD, FD_CLOEXEC) == -1) {
+		err = got_error_from_errno("fcntl");
+		goto done;
+	}
 
 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
 	if (datalen == 0) {
@@ -3599,6 +3608,9 @@ main(int argc, char **argv)
 				gotd_reload_conf_fd = imsg_get_fd(&imsg);
 				if (gotd_reload_conf_fd != -1)
 					break;
+				if (fcntl(gotd_reload_conf_fd,
+				    F_SETFD, FD_CLOEXEC) == -1)
+					error = got_error_from_errno("fcntl");
 				error = got_error(GOT_ERR_PRIVSEP_NO_FD);
 				break;
 			}