Hi,
When loading the CA certificates at startup fails, the syslogd child
tries to load the default CA file when it connects to a TLS server.
This always fails, as the child is chrooted to /var/empty. Set the
CA storage to an empty string, to remove the pledge "rpath".
ok?
bluhm
Index: usr.sbin/syslogd/syslogd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.200
diff -u -p -r1.200 syslogd.c
--- usr.sbin/syslogd/syslogd.c 23 Oct 2015 16:28:52 -0000 1.200
+++ usr.sbin/syslogd/syslogd.c 23 Oct 2015 18:29:40 -0000
@@ -550,6 +550,7 @@ main(int argc, char *argv[])
tls_config_insecure_noverifyname(client_config);
} else {
struct stat sb;
+ int fail = 1;
fd = -1;
p = NULL;
@@ -567,9 +568,13 @@ main(int argc, char *argv[])
sb.st_size) == -1) {
logerrorx("tls_config_set_ca_mem");
} else {
+ fail = 0;
logdebug("CAfile %s, size %lld\n",
CAfile, sb.st_size);
}
+ /* avoid reading default certs in chroot */
+ if (fail)
+ tls_config_set_ca_mem(client_config, "", 0);
free(p);
close(fd);
}
@@ -700,7 +705,7 @@ main(int argc, char *argv[])
if (priv_init(ConfFile, NoDNS, lockpipe[1], nullfd, argv) < 0)
errx(1, "unable to privsep");
- if (pledge("stdio rpath unix inet recvfd", NULL) == -1)
+ if (pledge("stdio unix inet recvfd", NULL) == -1)
err(1, "pledge");
/* Process is now unprivileged and inside a chroot */
