audit_json_open: Set the close-on-exec flag for the JSON audit fd

millert · millert · commit a24c73621d0d · 2025-11-09T09:18:24.000-07:00
Found by the ZeroPath AI Security Engineer <https://zeropath.com>
diff --git a/plugins/audit_json/audit_json.c b/plugins/audit_json/audit_json.c
@@ -153,7 +153,8 @@ audit_json_open(unsigned int version, sudo_conv_t conversation,
     oldmask = umask(S_IRWXG|S_IRWXO);
     fd = open(state.logfile, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
     (void)umask(oldmask);
-    if (fd == -1 || (state.log_fp = fdopen(fd, "w")) == NULL) {
+    if (fd == -1 || fcntl(fd, F_SETFD, FD_CLOEXEC) == -1 ||
+	    (state.log_fp = fdopen(fd, "w")) == NULL) {
 	*errstr = U_("unable to open audit system");
 	if (fd != -1)
 	    close(fd);
