From: utzoo!decvax!duke!unc!mcnc!rti!trt
Newsgroups: net.unix-wizards
Title: Re: More on SUID and exec
Article-I.D.: rti.1016
Posted: Mon Feb 14 11:59:49 1983
Received: Wed Feb 16 06:10:43 1983

References: mitccc.309

FIOCLEX provides a simple way to ensure that sensitive files are not
passed along to unscrupulous programs.
For example, consider an SUID game program that opens a "secret" file
and permits the player to "!sh".  It may carefully revert uid/gid
but if it does not close the restricted file, well,
it is not a restricted file, is it?
Steve Bellovin noticed this danger some years back
and recommended liberal use of FIOCLEX as the cure.

A+ news has a local version of fopen(III), something like:
	FILE *
	xfopen(file, mode)
	char *file, *mode;
	{
		FILE *fp;

		if ((fp = fopen(file, mode)) == NULL) {
			it didnt work
		}
		ioctl(fileno(fp), FIOCLEX, NULL);
		return(fp);
	}
Alternatively, one can keep a list of file descriptors which
must be closed prior to an exec(II).  I prefer the ioctl.

FIONCLEX undoes FIOCLEX, and is probably just for completeness.
It can be simulated with dup(II) and close(II).
I could find no use of FIONCLEX in all of /usr/src/cmd.
	Tom Truscott
P.S.  Perhaps FIOCLEX should be the default when a file is opened.
A few programs such as init/getty/login/sh would then need to use FIONCLEX.