From 9b44153d201d5be72d3ad3df4a3b5e73d935cfd1 Mon Sep 17 00:00:00 2001
From: Pete Nelson <pete.nelson@unitedlex.com>
Date: Thu, 11 Feb 2016 09:50:45 -0500
Subject: fix issue with SIG_CHLD being ignored

By just ignoring SIG_CHLD, loading this plugin breaks any external
script usage in openvpn.  A better solution to preventing zombies
is to daemonize the spawned child and let init/systemd clean it up.
---
 duo_openvpn.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/duo_openvpn.c b/duo_openvpn.c
index f914ea4..1f37947 100644
--- a/duo_openvpn.c
+++ b/duo_openvpn.c
@@ -1,3 +1,4 @@
+#include <sys/stat.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -60,9 +61,6 @@ auth_user_pass_verify(struct context *ctx, const char *args[], const char *envp[
 		return OPENVPN_PLUGIN_FUNC_ERROR;
 	}
 
-	/* prevent leaving behind zombies */
-	signal(SIGCHLD, SIG_IGN);
-
 	pid = fork();
 	if (pid < 0) {
 		return OPENVPN_PLUGIN_FUNC_ERROR;
@@ -71,7 +69,15 @@ auth_user_pass_verify(struct context *ctx, const char *args[], const char *envp[
 	if (pid > 0) {
 		return OPENVPN_PLUGIN_FUNC_DEFERRED;
 	}
-	
+
+	/* daemonize so PID 1 can reap */
+	umask(0);
+	setsid();
+	chdir("/");
+	close(STDIN_FILENO);
+	close(STDOUT_FILENO);
+	close(STDERR_FILENO);
+
 	if (ctx->ikey && ctx->skey && ctx->host) {
 		setenv("ikey", ctx->ikey, 1);
 		setenv("skey", ctx->skey, 1);
-- 
cgit v1.2.3