Set FD_CLOEXEC on sockets created by curl

Curl creates sockets without setting FD_CLOEXEC/SOCK_CLOEXEC, this can cause connections to remain open forever when using commands like `nix shell` This change sets the FD_CLOEXEC flag using a CURLOPT_SOCKOPTFUNCTION callback.
2025-06-24 22:11:15 +02:00 · 2025-02-09 20:53:58 +00:00 · 2025-02-09 20:53:58 +00:00 · 12d2527276
commit 12d2527276
parent aa383a0b85
2 changed files with 22 additions and 0 deletions
--- a/doc/manual/rl-next/curl-cloexec.md
+++ b/doc/manual/rl-next/curl-cloexec.md
@ -0,0 +1,10 @@
+---
+synopsis: Set FD_CLOEXEC on sockets created by curl
+issues: []
+prs: [12439]
+---
+
+
+Curl creates sockets without setting FD_CLOEXEC/SOCK_CLOEXEC, this can cause connections to remain open forever when using commands like `nix shell`
+
+This change sets the FD_CLOEXEC flag using a CURLOPT_SOCKOPTFUNCTION callback.
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@ -300,6 +300,14 @@ struct curlFileTransfer : public FileTransfer
            return ((TransferItem *) userp)->readCallback(buffer, size, nitems);
        }

+        #if !defined(_WIN32) && LIBCURL_VERSION_NUM >= 0x071000
+        static int cloexec_callback(void *, curl_socket_t curlfd, curlsocktype purpose) {
+            unix::closeOnExec(curlfd);
+            vomit("cloexec set for fd %i", curlfd);
+            return CURL_SOCKOPT_OK;
+        }
+        #endif
+
        void init()
        {
            if (!req) req = curl_easy_init();
@ -359,6 +367,10 @@ struct curlFileTransfer : public FileTransfer
                curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
            }

+            #if !defined(_WIN32) && LIBCURL_VERSION_NUM >= 0x071000
+            curl_easy_setopt(req, CURLOPT_SOCKOPTFUNCTION, cloexec_callback);
+            #endif
+
            curl_easy_setopt(req, CURLOPT_CONNECTTIMEOUT, fileTransferSettings.connectTimeout.get());

            curl_easy_setopt(req, CURLOPT_LOW_SPEED_LIMIT, 1L);