From b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Oct 10 2019 20:28:18 +0000
Subject: Don't close STDOUT when calling the CA fetch_roots function


cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.

This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.

---

diff --git a/src/cadata.c b/src/cadata.c
index eb87eb7..3e916c9 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -109,7 +109,7 @@ fetch(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, void *data)
 		}
 		return -1;
 	}
-	cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
+	cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
 	cm_log(1, "Running enrollment/cadata helper \"%s\".\n", argv[0]);
 	execvp(argv[0], argv);
 	u = errno;