From 9b33ec1764c34d5e9d542f59ce932209941b64f1 Mon Sep 17 00:00:00 2001 From: zimbatm Date: Thu, 10 Dec 2015 16:01:04 +0000 Subject: [PATCH] build-fhs-userenv: don't leak file descriptors This re-uses the capabilities documented in `Process.spawn` to avoid leaking unecessary file-descriptors to the sandbox --- pkgs/build-support/build-fhs-userenv/chroot-user.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/build-fhs-userenv/chroot-user.rb b/pkgs/build-support/build-fhs-userenv/chroot-user.rb index 05b4914b6f6b..97316ac43695 100755 --- a/pkgs/build-support/build-fhs-userenv/chroot-user.rb +++ b/pkgs/build-support/build-fhs-userenv/chroot-user.rb @@ -140,10 +140,10 @@ if $cpid == 0 link_swdir.call swdir, Pathname.new('') # New environment - ENV.replace(Hash[ envvars.map { |x| [x, ENV[x]] } ]) + new_env = Hash[ envvars.map { |x| [x, ENV[x]] } ] # Finally, exec! - exec *execp + exec(new_env, *execp, close_others: true, unsetenv_others: true) end # Wait for a child. If we catch a signal, resend it to child and continue