diff options
| author |   deraadt <deraadt@openbsd.org> | 2015-10-29 03:16:15 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2015-10-29 03:16:15 +0000 |
| commit | 6a6f1b391b11875979a1f4222092611c791615d3 (patch) | |
| tree | e37b9c30ffb090ef8b9e170446b010ed8292133e /lib/libc | |
| parent | pledge "stdio rpath". (diff) | |
| download | wireguard-openbsd-6a6f1b391b11875979a1f4222092611c791615d3.tar.xz wireguard-openbsd-6a6f1b391b11875979a1f4222092611c791615d3.zip | |
rdate is a classic "run as root, talk to internet for a while doing
crazy packet parsing, then do something requiring privilege at the
end" program. Simplistic pledge would be "stdio rpath wpath inet dns
settime", which is not very useful. Imagine if it was exploited? It
could still change your time backwards or write to your passwd file -
game over. However the pledge "categorization" is educational, and
quickly leads to a priv-sep solution of sorts.
Create a pipe and fork. child pledges "stdio inet dns", and talks the
time protocols, then writes error message + timeinfo to the pipe.
parent pledges "stdio rpath wpath settime" and reads error
message/timeinfo from pipe. If error message, spit it out. Otherwise
handle the time, then pledge "stdio rpath", and finally report how the
time was adjusted.
A bit more complicated. Now observe that the pledges help test if
it is right...
(Now that privsep processing is in place, the child could be modified
to chroot + change to a different uid... problem is: which uid..)
ok millert
Diffstat (limited to 'lib/libc')
0 files changed, 0 insertions, 0 deletions