Am 21.10.2025 um 21:40 schrieb Gert Doering:
Hi,
On Tue, Oct 21, 2025 at 06:11:06PM +0000, Joshua Rogers via Openvpn-devel wrote:
The accept path calls set_cloexec(sd) after accept(). That re-flags the
listening socket, which is already CLOEXEC from create_socket_tcp(), and
leaves new_sd inheritable. As a result, client-connect and auth scripts
spawned after accept can inherit the connected socket and read or write
the raw TCP stream. This defeats the stated intent to prevent scripts from
accessing the client socket.
Impressive find. I had to actually look at the code to see what
you are talking about :-)
So we do
new_sd = accept(sd, &act->dest.addr.sa, &remote_len);
and then
/* set socket file descriptor to not pass across execs, so that
* scripts don't have access to it */
set_cloexec(sd);
Before commiting we have to check that port-share does not rely on this
behaviour to pass the fd the forked instances. I didn't check right now.
Arne
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
