diff options
| author |   deraadt <deraadt@openbsd.org> | 2018-10-22 16:20:09 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2018-10-22 16:20:09 +0000 |
| commit | 6c26a4b7e70c4b82fdd8dc1e07c9c40b4526ebce (patch) | |
| tree | 4debf49eafe42367933352f5260e9508a5469a99 | |
| parent | Remove #ifdef INET6 (diff) | |
| download | wireguard-openbsd-6c26a4b7e70c4b82fdd8dc1e07c9c40b4526ebce.tar.xz wireguard-openbsd-6c26a4b7e70c4b82fdd8dc1e07c9c40b4526ebce.zip | |
unveil support is a bit amusing. /etc/sensorsd.conf with "r", and
"/" for 'x' so that scripts can be run anywhere in the filesystem
(intended behaviour). The latter may seem very permissive, but it is
less permissive than "rwxc" ....
ok mestre, a while back
| -rw-r--r-- | usr.sbin/sensorsd/sensorsd.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/sensorsd/sensorsd.c b/usr.sbin/sensorsd/sensorsd.c index 680bc8af9ad..fd6fb67728e 100644 --- a/usr.sbin/sensorsd/sensorsd.c +++ b/usr.sbin/sensorsd/sensorsd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sensorsd.c,v 1.61 2017/03/20 15:31:23 bluhm Exp $ */ +/* $OpenBSD: sensorsd.c,v 1.62 2018/10/22 16:20:09 deraadt Exp $ */ /* * Copyright (c) 2003 Henning Brauer <henning@openbsd.org> @@ -114,6 +114,11 @@ main(int argc, char *argv[]) int ch, check_period = CHECK_PERIOD; const char *errstr; + if (unveil("/etc/sensorsd.conf", "r") == -1) + err(1, "unveil"); + if (unveil("/", "x") == -1) + err(1, "unveil"); + if (pledge("stdio rpath proc exec", NULL) == -1) err(1, "pledge"); |