[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5507) Ldap clients leak file descriptors

Full_Name: Jan Safranek
Version: 2.4.9
OS: Linux (Fedora 8)
Submission from: (NULL) (

On system protected by SELinux, when an application with active LDAP connection
tries to exec() binary with different security context, SELinux inspects all
opened filedescriptors, including the ldap one, and denies access to the ones,
which do not conform active policy (the executed binary is not authorized to
contact LDAP servers). Users are then annoyed by security warnings in the logs.

There is simple fix - set CLOEXEC flag on the socket, which will force the
filedescriptor to close on exec(), see patch below.

--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -36,6 +36,9 @@
 #ifdef HAVE_IO_H
 #include <io.h>
 #endif /* HAVE_IO_H */
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>

 #include "ldap-int.h"

@@ -110,6 +113,9 @@ ldap_int_socket(LDAP *ld, int family, int type )
        ber_socket_t s = socket(family, type, 0);
        osip_debug(ld, "ldap_new_socket: %d\n",s,0,0);
+#ifdef _GNU_SOURCE
+       fcntl(s, F_SETFD, FD_CLOEXEC);
        return ( s );