diff options
| author |   jca <jca@openbsd.org> | 2017-10-04 23:56:48 +0000 |
|---|---|---|
| committer | jca <jca@openbsd.org> | 2017-10-04 23:56:48 +0000 |
| commit | 276bf740fc10efc1c2827edbb96486e243bc3641 (patch) | |
| tree | 9e7667b447734554f6e9fc035545343c35fbae26 /usr.sbin/inetd | |
| parent | sync (diff) | |
| download | wireguard-openbsd-276bf740fc10efc1c2827edbb96486e243bc3641.tar.xz wireguard-openbsd-276bf740fc10efc1c2827edbb96486e243bc3641.zip | |
Fix pledge(2) usage
We should not try to tighten pledge promises in the master inetd
process, since those are needed to reload the configuration. Only
tighten down if 1) we have forked 2) we're running one of the builtin
routines, which are dealing with network input.
Pointed out by and ok benno@
Diffstat (limited to 'usr.sbin/inetd')
| -rw-r--r-- | usr.sbin/inetd/inetd.c | 16 |
1 files changed, 5 insertions, 11 deletions
diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c index 4670540b604..b399a21311a 100644 --- a/usr.sbin/inetd/inetd.c +++ b/usr.sbin/inetd/inetd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: inetd.c,v 1.157 2017/10/04 20:15:52 jca Exp $ */ +/* $OpenBSD: inetd.c,v 1.158 2017/10/04 23:56:48 jca Exp $ */ /* * Copyright (c) 1983,1991 The Regents of the University of California. @@ -1752,22 +1752,16 @@ spawn(int ctrl, short events, void *xsep) return; } - if (sep->se_family == AF_UNIX) { - if (pledge("stdio rpath cpath getpw inet proc exec id", NULL) == -1) - err(1, "pledge"); - } else { - if (pledge("stdio rpath getpw inet proc exec id", NULL) == -1) - err(1, "pledge"); - } - if (pid && sep->se_wait) { sep->se_wait = pid; event_del(&sep->se_event); } if (pid == 0) { - if (sep->se_bi) + if (sep->se_bi) { + if (dofork && pledge("stdio inet", NULL) == -1) + err(1, "pledge"); (*sep->se_bi->bi_fn)(ctrl, sep); - else { + } else { if ((pwd = getpwnam(sep->se_user)) == NULL) { syslog(LOG_ERR, "getpwnam: %s: No such user", |