diff options
| author |   bluhm <bluhm@openbsd.org> | 2015-10-09 12:07:32 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2015-10-09 12:07:32 +0000 |
| commit | bb9d77b9d0c88730b77147c83460923cc13fde99 (patch) | |
| tree | a6e6eba4ea8891706572be0667fe7376361dbef2 | |
| parent | oops, snuck into a syscalls sync; spotted by sthen (diff) | |
| download | wireguard-openbsd-bb9d77b9d0c88730b77147c83460923cc13fde99.tar.xz wireguard-openbsd-bb9d77b9d0c88730b77147c83460923cc13fde99.zip | |
Tame syslogd privsep child with "stdio rpath unix inet recvfd".
With and OK deraadt@
| -rw-r--r-- | usr.sbin/syslogd/syslogd.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index dbb557c97e1..41d64df0c90 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.190 2015/09/29 03:19:23 guenther Exp $ */ +/* $OpenBSD: syslogd.c,v 1.191 2015/10/09 12:07:32 bluhm Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -593,6 +593,9 @@ main(int argc, char *argv[]) if (priv_init(ConfFile, NoDNS, lockpipe[1], nullfd, argv) < 0) errx(1, "unable to privsep"); + if (tame("stdio rpath unix inet recvfd", NULL) == -1) + err(1, "tame"); + /* Process is now unprivileged and inside a chroot */ event_init(); |