On Sun, Apr 03, 2016 at 06:28:21PM +0200, Sebastien Marie wrote: > On Sun, Apr 03, 2016 at 06:09:21PM +0200, frit...@alokat.org wrote: > > On Sat, Apr 02, 2016 at 04:38:10PM +0200, frit...@alokat.org wrote: > > > Hi, > > > > > > this adds pledge(2) to ftpd(8). > > > > > > --f. > > > > > > > With help from semarie@ the original diff was changed a little > > bit. > > > > The following processes are pledged: > > - [priv post-auth] > > - User-privileged slave > > - Unprivileged slave > > > > As I don't cover all use cases, please send me your feedback. > > > > --f. > > > > Index: monitor.c > > =================================================================== > > RCS file: /cvs/src/libexec/ftpd/monitor.c,v > > retrieving revision 1.23 > > diff -u -r1.23 monitor.c > > --- monitor.c 16 Nov 2015 17:31:14 -0000 1.23 > > +++ monitor.c 3 Apr 2016 15:42:21 -0000 > > @@ -193,6 +193,10 @@ > > > > endpwent(); > > close(fd_slave); > > + > > + if (pledge("stdio", NULL) == -1) > > + fatalx("pledge"); > > + > > return (1); > > } > > > > @@ -302,6 +306,11 @@ > > case AUTH_SLAVE: > > /* User-privileged slave */ > > debugmsg("user-privileged slave started"); > > + > > + if (pledge("stdio rpath getpw proc wpath cpath > > inet ioctl sendfd recvfd", > > + NULL) == -1) { > > + fatalx("pledge"); > > + } > > whoa, still a big list of promises, and some are a bit unexpected for > me. could you explain the need for them ? > > I mean, if "rpath wpath cpath" are expected for a daemon that serve > files, "ioctl" for example is more questionable. could you explain > quickly why or where ftpd needs them ? >
- sendfd / recvfd are for active ftp - ioctl is e.g. used for "ls" after ftp(1) established a connection I'm not exactly sure why, as there is no ioctl(2) call, but maybe in one underlaying library. - proc for fork e.g. (popen_ftpd.c) - getpwnam for getpwname(3) e.g. in ftpd.c > thanks. > > > return; > > /* NOTREACHED */ > > case AUTH_MONITOR: > > @@ -311,6 +320,11 @@ > > setproctitle("%s: [priv post-auth]", > > remotehost); > > slavequit = 1; > > + > > + if (pledge("stdio proc dns inet sendfd", > > + NULL) == -1) { > > + fatalx("pledge"); > > + } > > > > send_data(fd_slave, &slavequit, > > sizeof(slavequit)); > > > > > > -- > Sebastien Marie >