On Sun, Apr 03, 2016 at 06:09:21PM +0200, frit...@alokat.org wrote: > On Sat, Apr 02, 2016 at 04:38:10PM +0200, frit...@alokat.org wrote: > > Hi, > > > > this adds pledge(2) to ftpd(8). > > > > --f. > > > > With help from semarie@ the original diff was changed a little > bit. > > The following processes are pledged: > - [priv post-auth] > - User-privileged slave > - Unprivileged slave > > As I don't cover all use cases, please send me your feedback. > > --f. > > Index: monitor.c > =================================================================== > RCS file: /cvs/src/libexec/ftpd/monitor.c,v > retrieving revision 1.23 > diff -u -r1.23 monitor.c > --- monitor.c 16 Nov 2015 17:31:14 -0000 1.23 > +++ monitor.c 3 Apr 2016 15:42:21 -0000 > @@ -193,6 +193,10 @@ > > endpwent(); > close(fd_slave); > + > + if (pledge("stdio", NULL) == -1) > + fatalx("pledge"); > + > return (1); > } > > @@ -302,6 +306,11 @@ > case AUTH_SLAVE: > /* User-privileged slave */ > debugmsg("user-privileged slave started"); > + > + if (pledge("stdio rpath getpw proc wpath cpath > inet ioctl sendfd recvfd", > + NULL) == -1) { > + fatalx("pledge"); > + }
whoa, still a big list of promises, and some are a bit unexpected for me. could you explain the need for them ? I mean, if "rpath wpath cpath" are expected for a daemon that serve files, "ioctl" for example is more questionable. could you explain quickly why or where ftpd needs them ? thanks. > return; > /* NOTREACHED */ > case AUTH_MONITOR: > @@ -311,6 +320,11 @@ > setproctitle("%s: [priv post-auth]", > remotehost); > slavequit = 1; > + > + if (pledge("stdio proc dns inet sendfd", > + NULL) == -1) { > + fatalx("pledge"); > + } > > send_data(fd_slave, &slavequit, > sizeof(slavequit)); > > -- Sebastien Marie