From 1e3fe79e3a5346bc2dbf8108afec1e69a42ff822 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 28 Mar 2023 09:50:17 -0700
Subject: Set close-on-exec when opening files

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/ICElibint.h | 6 ++++++
 src/authutil.c  | 5 +++--
 src/getauth.c   | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/ICElibint.h b/src/ICElibint.h
index 3794085..00c15ca 100644
--- a/src/ICElibint.h
+++ b/src/ICElibint.h
@@ -43,6 +43,12 @@ Author: Ralph Mor, X Consortium
 #include <stdlib.h>
 #include <stddef.h>
 
+#ifdef O_CLOEXEC
+#define FOPEN_CLOEXEC "e"
+#else
+#define FOPEN_CLOEXEC ""
+#define O_CLOEXEC 0
+#endif
 
 /*
  * Vendor & Release
diff --git a/src/authutil.c b/src/authutil.c
index 86a716b..a47cf46 100644
--- a/src/authutil.c
+++ b/src/authutil.c
@@ -175,7 +175,8 @@ IceLockAuthFile (
     {
 	if (creat_fd == -1)
 	{
-	    creat_fd = creat (creat_name, 0666);
+	    creat_fd = open (creat_name,
+                             O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 0666);
 
 	    if (creat_fd == -1)
 	    {
@@ -347,7 +348,7 @@ IceGetAuthFileEntry (
     if (access (filename, R_OK) != 0)		/* checks REAL id */
 	return (NULL);
 
-    if (!(auth_file = fopen (filename, "rb")))
+    if (!(auth_file = fopen (filename, "rb" FOPEN_CLOEXEC)))
 	return (NULL);
 
     for (;;)
diff --git a/src/getauth.c b/src/getauth.c
index abd5644..b792e3e 100644
--- a/src/getauth.c
+++ b/src/getauth.c
@@ -146,7 +146,7 @@ _IceGetPoValidAuthIndices (
     if (access (filename, R_OK) != 0)		/* checks REAL id */
 	return;
 
-    if (!(auth_file = fopen (filename, "rb")))
+    if (!(auth_file = fopen (filename, "rb" FOPEN_CLOEXEC)))
 	return;
 
     for (;;)
-- 
cgit v1.2.3