On Sun, Apr 03, 2016 at 06:09:21PM +0200, frit...@alokat.org wrote:
> On Sat, Apr 02, 2016 at 04:38:10PM +0200, frit...@alokat.org wrote:
> > Hi,
> >
> > this adds pledge(2) to ftpd(8).
> >
> > --f.
> >
>
> With help from semarie@ the original diff was changed a little
> bit.
>
> The following processes are pledged:
> - [priv post-auth]
> - User-privileged slave
> - Unprivileged slave
>
> As I don't cover all use cases, please send me your feedback.
>
> --f.
>
> Index: monitor.c
> ===================================================================
> RCS file: /cvs/src/libexec/ftpd/monitor.c,v
> retrieving revision 1.23
> diff -u -r1.23 monitor.c
> --- monitor.c 16 Nov 2015 17:31:14 -0000 1.23
> +++ monitor.c 3 Apr 2016 15:42:21 -0000
> @@ -193,6 +193,10 @@
>
> endpwent();
> close(fd_slave);
> +
> + if (pledge("stdio", NULL) == -1)
> + fatalx("pledge");
> +
> return (1);
> }
>
> @@ -302,6 +306,11 @@
> case AUTH_SLAVE:
> /* User-privileged slave */
> debugmsg("user-privileged slave started");
> +
> + if (pledge("stdio rpath getpw proc wpath cpath
> inet ioctl sendfd recvfd",
> + NULL) == -1) {
> + fatalx("pledge");
> + }
whoa, still a big list of promises, and some are a bit unexpected for
me. could you explain the need for them ?
I mean, if "rpath wpath cpath" are expected for a daemon that serve
files, "ioctl" for example is more questionable. could you explain
quickly why or where ftpd needs them ?
thanks.
> return;
> /* NOTREACHED */
> case AUTH_MONITOR:
> @@ -311,6 +320,11 @@
> setproctitle("%s: [priv post-auth]",
> remotehost);
> slavequit = 1;
> +
> + if (pledge("stdio proc dns inet sendfd",
> + NULL) == -1) {
> + fatalx("pledge");
> + }
>
> send_data(fd_slave, &slavequit,
> sizeof(slavequit));
>
>
--
Sebastien Marie
