Pledge the syslogd privsep process with "stdio rpath wpath cpath

inet dns getpw sendfd proc exec". OK deraadt@
author: bluhm <bluhm@openbsd.org> 2015-10-16 16:10:10 +0000
committer: bluhm <bluhm@openbsd.org> 2015-10-16 16:10:10 +0000
commit: c9ec0abe94e8a66cea008ed1a5f4d5b477e78bcf (patch)
tree: a0b268807fc95960f6ffb5292bc74f0fd72a0f42 /usr.sbin
parent: The hosts.lpd examples file does not contain a single example. (diff)
download: wireguard-openbsd-c9ec0abe94e8a66cea008ed1a5f4d5b477e78bcf.tar.xz
wireguard-openbsd-c9ec0abe94e8a66cea008ed1a5f4d5b477e78bcf.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.sbin/syslogd/privsep.c b/usr.sbin/syslogd/privsep.c
index 94f6b2ad4f1..4487650e88d 100644
--- a/usr.sbin/syslogd/privsep.c
+++ b/usr.sbin/syslogd/privsep.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: privsep.c,v 1.56 2015/10/15 20:26:47 bluhm Exp $	*/
+/*	$OpenBSD: privsep.c,v 1.57 2015/10/16 16:10:10 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2003 Anil Madhavapeddy <anil@recoil.org>
@@ -144,6 +144,10 @@ priv_init(char *conf, int numeric, int lockfd, int nullfd, char *argv[])
 		return 0;
 	}
 
+	if (pledge("stdio rpath wpath cpath inet dns getpw sendfd proc exec",
+	    NULL) == -1)
+		err(1, "pledge priv");
+
 	if (!Debug) {
 		close(lockfd);
 		dup2(nullfd, STDIN_FILENO);
author	bluhm <bluhm@openbsd.org>	2015-10-16 16:10:10 +0000
committer	bluhm <bluhm@openbsd.org>	2015-10-16 16:10:10 +0000
commit	c9ec0abe94e8a66cea008ed1a5f4d5b477e78bcf (patch)
tree	a0b268807fc95960f6ffb5292bc74f0fd72a0f42 /usr.sbin
parent	The hosts.lpd examples file does not contain a single example. (diff)
download	wireguard-openbsd-c9ec0abe94e8a66cea008ed1a5f4d5b477e78bcf.tar.xz wireguard-openbsd-c9ec0abe94e8a66cea008ed1a5f4d5b477e78bcf.zip