X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/cf73943b330a44b8716aa1fcbf649ee1f0fbc67b..fa32850be0d9e605da1b33305c122f7a59a24650:/src/src/daemon.c

diff --git a/src/src/daemon.c b/src/src/daemon.c
index 777cda6f4..3db9be374 100644
--- a/src/src/daemon.c
+++ b/src/src/daemon.c
@@ -1,10 +1,10 @@
-/* $Cambridge: exim/src/src/daemon.c,v 1.26 2008/12/12 14:44:25 nm4 Exp $ */
+/* $Cambridge: exim/src/src/daemon.c,v 1.27 2009/11/16 19:50:36 nm4 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2007 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Functions concerned with running Exim as a daemon */
@@ -425,6 +425,13 @@ if (pid == 0)
 
   for (i = 0; i < listen_socket_count; i++) (void)close(listen_sockets[i]);
 
+  /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes
+  to be able to communicate with them, under any circumstances. */
+  (void)fcntl(accept_socket, F_SETFD,
+              fcntl(accept_socket, F_GETFD) | FD_CLOEXEC);
+  (void)fcntl(dup_accept_socket, F_SETFD,
+              fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
+
   #ifdef SA_NOCLDWAIT
   act.sa_handler = SIG_IGN;
   sigemptyset(&(act.sa_mask));