[Openvpn-devel,v4] sitnl: set FD_CLOEXEC on socket to prevent abuse

Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:2995:b0:72f:f16c:e055 with SMTP id
 f21csp2163574max;
        Tue, 28 Oct 2025 09:29:03 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXQcuJNwHnSSDvku7Wt2i87XihUmNOXWuuwv1DT1o3ZZc+WUJ/dQXWfVgvw/pyY+DFj11uHZfgoo1g=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IH2JaX2KpZOK5tRcq683RakAZuT3Lfyl+hWbSdFNAHyLGsqS3JEFc2/j/Yaly9KMLk8byp0
X-Received: by 2002:a05:6808:1507:b0:44f:6d6d:5266 with SMTP id
 5614622812f47-44f7a53506cmr14266b6e.63.1761668942990;
        Tue, 28 Oct 2025 09:29:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1761668942; cv=none;
        d=google.com; s=arc-20240605;
        b=OadSKJ2io1kRKg1CfdaLlaxgZBRGtUgPIbtn1mKO1C2SkstdlrQIJytxAnByjAq1dx
         Iwy5pmXwzBI2/aqkEB2xJvcebIIlK3CMo83pVnvhp0ydoOw2DhqoTz7xm2JHFK9xqrsu
         xLULWXoTiEJRWxOQdAQ9ei7NaK4PRAbOakCAqtNBDrhY7waVignAOV+eLIq5XvsQSomk
         06EUBByxvUBDLYw/A4e6wS5uB+O3ogcDmVIMoD5KNgmt1uxARzAw2gz8mnjEzzUl6AFK
         WEJ1//kR80FaTpUua/kxGLcbWRBMA8n5VuCd6RBzafMc9potpfHqkJPMYZcwwmAIckN/
         cA6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=aZehHt/uc9eJCXalP01YbyzoEZLqIdA/cTgjC3XWn20=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=hUGcezYnIiwcyh0mpcwhHLFms2UjWS8YzY43omhXrthqBzIF0w90LZWPKVFCD6pOGZ
         ue3shaO7k4J5iNTDZrOPD3wg+uBq6D8SJvJF7unjqqwscfmYcNvZqZAmBSEE5ndIM4zt
         hUI+7iOT1DxaGFASnMYcHRpv5fIvYKsX7yARTz3bsXfnl7bkZcSB6uyZyMWN64lanVUb
         y0zofD8dMcewE7PTFrjm6b3VOfUyLnoG+PfaylCJKpxq6W9A8omIeIRLhzdAOTOB8FBA
         5ftzH4gPzQcplIT0sAq9axOPQDvhApIFgEQB/I5qv7FftUdgJnws6Mmc0i9g09/KEMQc
         Qjyg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=ZcNTNMGp;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=mYIPk5aX;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="jQQxvV/S";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 5614622812f47-44da5592248si2540334b6e.384.2025.10.28.09.29.02
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 28 Oct 2025 09:29:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=ZcNTNMGp;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=mYIPk5aX;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="jQQxvV/S";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=aZehHt/uc9eJCXalP01YbyzoEZLqIdA/cTgjC3XWn20=; b=ZcNTNMGpLgpFOgiekf3x6kPU1T
	dByJrSo13Nf3swCy54XEgqt+F4dLvhIgJkEPrbmF+j238tDcUEuGV+keWGVsEzeZy3iBHhzTgFqyB
	9QtMbTzAKFnGkdSJ6q7FWtNYeHy75EQfhTzl/EqNMJNtkjxtPWnX9qIM3NKcjEfY7wMQ=;
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1vDmZ8-0001PQ-IC;
	Tue, 28 Oct 2025 16:28:58 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1vDmZ7-0001PK-Ew
 for openvpn-devel@lists.sourceforge.net;
 Tue, 28 Oct 2025 16:28:57 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=m7hZvLTn3NKECS/yxV4/miE3ksxAMAVXwq0bB587cE4=; b=mYIPk5aXsy3Otmpqu6fOzUxPvX
 jnHUS1I9QAdeUGAgTxcVn7VOJioiVkCqeCuSPG51OeHZ9J0iO2LiAbJmSjoUPDpby5Y6oJggZFTFJ
 /hIc//L3b2wZLwj/LfGjNFsJ2ETUT+gA2KhMM7IFOAFAkqPY8RmCZyV2dm/cVjOdEqcs=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=m7hZvLTn3NKECS/yxV4/miE3ksxAMAVXwq0bB587cE4=; b=jQQxvV/S34o4Ph0IhFS833sUna
 wTTC+3o4LNnFmbxyVz0rlJ1/2eR6h5PaNmPfSmfRhP0OgvVOZr4BEGq269+k/O3D+uBZsp3vLLCi8
 N1v/AvIJRqrpDXaEep6SizESy1bC9rB6MS720yIC/39+Bl9Z3c2juFKj93kd/sxT6OXo=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1vDmZ6-0008Hs-3c for openvpn-devel@lists.sourceforge.net;
 Tue, 28 Oct 2025 16:28:57 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 59SGSi7r018202
 for <openvpn-devel@lists.sourceforge.net>; Tue, 28 Oct 2025 17:28:44 +0100
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 59SGSiO2018201
 for openvpn-devel@lists.sourceforge.net; Tue, 28 Oct 2025 17:28:44 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 28 Oct 2025 17:28:38 +0100
Message-ID: <20251028162843.18189-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.49.1
In-Reply-To: 
 <gerrit.1761573316000.I54845bf4dd17d06cfc3b402f188795f74f4b1d3e@gerrit.openvpn.net>
References: 
 <gerrit.1761573316000.I54845bf4dd17d06cfc3b402f188795f74f4b1d3e@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-1.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Antonio Quartulli <antonio@mandelbit.com> Since
 OpenVPN
 spawns various child processes, it is important that sockets are closed after
 calling exec. The sitnl socket didn't have the right flag set, resulting
 in it surviving in, for example, connect/disconnect scripts and giving the
 latter a chance to abuse the socket.
 Content analysis details:   (1.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1vDmZ6-0008Hs-3c
Subject: [Openvpn-devel] [PATCH v4] sitnl: set FD_CLOEXEC on socket to
 prevent abuse
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1847243773694695187?=
X-GMAIL-MSGID: =?utf-8?q?1847243773694695187?=