pledge(2) for httpd.

1) The main process listens on sockets and accepts connections. It
creates and opens log files, creates and kills child processes. On
start up and on receiving a HUP signal it parses the configuration. It
passes on file descriptors for logging or requests to it's children.
2) The logger process writes log messages to a file descriptor passed
in from the main process.
3) The server process reads the request from a file descriptor passed
in from the main process. It reads a file or creates a directory index
to send a response.
Additionally this process handles fastcgi requests. It connects to
AF_UNIX, AF_INET or AF_INET6 sockets. A re-factoring might make it
possible to drop the additional fastcgi privileges when only static
files are served.

with deraadt@ some time ago
prodding & OK deraadt@
tweaks and OK reyk@

1 files changed, 4 insertions, 1 deletions

diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c
index 78fee8cd435..f50aa1b2f4d 100644
--- a/usr.sbin/httpd/server.c
+++ b/usr.sbin/httpd/server.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server.c,v 1.80 2015/09/11 13:21:09 jsing Exp $	*/
+/*	$OpenBSD: server.c,v 1.81 2015/11/05 18:00:43 florian Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -244,6 +244,9 @@ server_init(struct privsep *ps, struct privsep_proc *p, void *arg)
 	/* Unlimited file descriptors (use system limits) */
 	socket_rlimit(-1);
 
+	if (pledge("stdio rpath inet unix recvfd", NULL) == -1)
+		fatal("pledge");
+
 #if 0
 	/* Schedule statistics timer */
 	evtimer_set(&env->sc_statev, server_statistics, NULL);