Re: [patch] ftpd: pledge(2)

Sun, 03 Apr 2016 10:09:05 -0700 

On Sun, Apr 03, 2016 at 06:28:21PM +0200, Sebastien Marie wrote:
> On Sun, Apr 03, 2016 at 06:09:21PM +0200, [email protected] wrote:
> > On Sat, Apr 02, 2016 at 04:38:10PM +0200, [email protected] wrote:
> > > Hi,
> > > 
> > > this adds pledge(2) to ftpd(8).
> > > 
> > > --f.
> > > 
> > 
> > With help from semarie@ the original diff was changed a little
> > bit.
> > 
> > The following processes are pledged:
> > - [priv post-auth]
> > - User-privileged slave
> > - Unprivileged slave
> > 
> > As I don't cover all use cases, please send me your feedback.
> > 
> > --f.
> > 
> > Index: monitor.c
> > ===================================================================
> > RCS file: /cvs/src/libexec/ftpd/monitor.c,v
> > retrieving revision 1.23
> > diff -u -r1.23 monitor.c
> > --- monitor.c       16 Nov 2015 17:31:14 -0000      1.23
> > +++ monitor.c       3 Apr 2016 15:42:21 -0000
> > @@ -193,6 +193,10 @@
> >  
> >             endpwent();
> >             close(fd_slave);
> > +
> > +           if (pledge("stdio", NULL) == -1)
> > +                   fatalx("pledge");
> > +
> >             return (1);
> >     }
> >  
> > @@ -302,6 +306,11 @@
> >                     case AUTH_SLAVE:
> >                             /* User-privileged slave */
> >                             debugmsg("user-privileged slave started");
> > +
> > +                           if (pledge("stdio rpath getpw proc wpath cpath 
> > inet ioctl sendfd recvfd",
> > +                                      NULL) == -1) {
> > +                                   fatalx("pledge");
> > +                           }
> 
> whoa, still a big list of promises, and some are a bit unexpected for
> me. could you explain the need for them ?
> 
> I mean, if "rpath wpath cpath" are expected for a daemon that serve
> files, "ioctl" for example is more questionable. could you explain
> quickly why or where ftpd needs them ?
>

- sendfd / recvfd are for active ftp
- ioctl is e.g. used for "ls" after ftp(1) established a connection
  I'm not exactly sure why, as there is no ioctl(2) call, but maybe
  in one underlaying library.
- proc for fork e.g. (popen_ftpd.c)
- getpwnam for getpwname(3) e.g. in ftpd.c    

> thanks.
> 
> >                             return;
> >                             /* NOTREACHED */
> >                     case AUTH_MONITOR:
> > @@ -311,6 +320,11 @@
> >                             setproctitle("%s: [priv post-auth]",
> >                                 remotehost);
> >                             slavequit = 1;
> > +
> > +                           if (pledge("stdio proc dns inet sendfd",
> > +                                      NULL) == -1) {
> > +                                   fatalx("pledge");
> > +                           }
> >  
> >                             send_data(fd_slave, &slavequit,
> >                                 sizeof(slavequit));
> > 
> > 
> 
> -- 
> Sebastien Marie
>

Reply via email to