sed only works on files, so the obvious goal is to remove it's network

access in case it is exploited. tame with "stdio wpath rpath cpath" seesms to covers all usage cases, except -i performs a fchmod() on the in-place file, so conditionally also needs "fattr". ok sthen
author: deraadt <deraadt@openbsd.org> 2015-10-03 00:58:59 +0000
committer: deraadt <deraadt@openbsd.org> 2015-10-03 00:58:59 +0000
commit: e7e08b57f5db5d32ce534ce0cde42441a95556aa (patch)
tree: 45471d8644d3f0e78e3247e059fbe5bea8b80825
parent: ping6 is a setuid root priv-drop which holds a sockraw. we can tame it (diff)
download: wireguard-openbsd-e7e08b57f5db5d32ce534ce0cde42441a95556aa.tar.xz
wireguard-openbsd-e7e08b57f5db5d32ce534ce0cde42441a95556aa.zip
1 files changed, 9 insertions, 1 deletions
diff --git a/usr.bin/sed/main.c b/usr.bin/sed/main.c
index 8b02d08e579..1e91848914a 100644
--- a/usr.bin/sed/main.c
+++ b/usr.bin/sed/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.24 2015/07/19 17:21:21 deraadt Exp $	*/
+/*	$OpenBSD: main.c,v 1.25 2015/10/03 00:58:59 deraadt Exp $	*/
 
 /*-
  * Copyright (c) 1992 Diomidis Spinellis.
@@ -159,6 +159,14 @@ main(int argc, char *argv[])
 	if (termwidth == 0)
 		termwidth = 60;
 
+	if (inplace != NULL) {
+		if (tame("stdio wpath rpath cpath fattr", NULL) == -1)
+			err(1, "tame");
+	} else {
+		if (tame("stdio wpath rpath cpath", NULL) == -1)
+			err(1, "tame");
+	}
+
 	/* First usage case; script is the first arg */
 	if (!eflag && !fflag && *argv) {
 		add_compunit(CU_STRING, *argv);
author	deraadt <deraadt@openbsd.org>	2015-10-03 00:58:59 +0000
committer	deraadt <deraadt@openbsd.org>	2015-10-03 00:58:59 +0000
commit	e7e08b57f5db5d32ce534ce0cde42441a95556aa (patch)
tree	45471d8644d3f0e78e3247e059fbe5bea8b80825
parent	ping6 is a setuid root priv-drop which holds a sockraw. we can tame it (diff)
download	wireguard-openbsd-e7e08b57f5db5d32ce534ce0cde42441a95556aa.tar.xz wireguard-openbsd-e7e08b57f5db5d32ce534ce0cde42441a95556aa.zip