From: Damien Miller <djm@mindrot.org>
Subject: GHPR693: set CLOEXEC on sftp's fds to ssh
To: tech@openbsd.org
Cc: openssh@openssh.com
Date: Mon, 29 Jun 2026 16:18:47 +1000

Hi,

sftp talks to ssh over pipes (or a socketpair sometimes in portable).
When in interactive mode it also allows starting a local shell via !
Unfortunately this shell inherits the sftp-ssh fds and if anything
writes to them the the connection will break. Set them CLOEXEC
to avoid this.

ok?

diff --git a/sftp.c b/sftp.c
index 6e612ed..e3449fc 100644
--- a/sftp.c
+++ b/sftp.c
@@ -24,6 +24,7 @@
 
 #include <ctype.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <glob.h>
 #include <histedit.h>
 #include <paths.h>
@@ -316,7 +317,6 @@ local_do_shell(const char *args)
 		fatal("Couldn't fork: %s", strerror(errno));
 
 	if (pid == 0) {
-		/* XXX: child has pipe fds to ssh subproc open - issue? */
 		if (args) {
 			debug3("Executing %s -c \"%s\"", shell, args);
 			execl(shell, shell, "-c", args, (char *)NULL);
@@ -2396,6 +2396,8 @@ connect_to_server(char *path, char **args, int *in, int *out)
 	ssh_signal(SIGCHLD, sigchld_handler);
 	close(c_in);
 	close(c_out);
+	FD_CLOSEONEXEC(*in);
+	FD_CLOSEONEXEC(*out);
 }
 
 static void