From c91853669716f40175562b77e540a396d2e79799 Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Mon, 9 Feb 2009 21:44:46 -0800
Subject: Prevent leakage of private pipes and tempfiles.

Don't rely on FD_CLOEXEC if we don't have to since it may not be
completely portable.  Just explicitly close things (pipes,
tempfiles) we don't want to pass on to our children when
forking.
---
 lib/unicorn.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/unicorn.rb b/lib/unicorn.rb
index 2e7a1a9..a33b1b2 100644
--- a/lib/unicorn.rb
+++ b/lib/unicorn.rb
@@ -153,7 +153,6 @@ module Unicorn
       # this pipe is used to wake us up from select(2) in #join when signals
       # are trapped.  See trap_deferred
       @rd_sig, @wr_sig = IO.pipe.map do |io|
-        set_cloexec(io)
         io.nonblock = true
         io
       end unless (@rd_sig && @wr_sig)
@@ -268,6 +267,10 @@ module Unicorn
     # Returns the pid of the forked process
     def spawn_start_ctx(check = nil)
       fork do
+        @rd_sig.close if @rd_sig
+        @wr_sig.close if @wr_sig
+        @workers.values.each { |other| other.tempfile.close rescue nil }
+
         ENV.replace(@start_ctx[:environ])
         ENV['UNICORN_FD'] = @listeners.map { |sock| sock.fileno }.join(',')
         File.umask(@start_ctx[:umask])
-- 
cgit v1.2.3-24-ge0c7