On Sun, Apr 03, 2016 at 06:51:47PM +0200, Theo Buehler wrote:
> > > + if (pledge("stdio rpath getpw proc wpath cpath
> > > inet ioctl sendfd recvfd",
> > > + NULL) == -1) {
> > > + fatalx("pledge");
> > > + }
> >
> > whoa, still a big list of promises, and some are a bit unexpected for
> > me. could you explain the need for them ?
> >
> > I mean, if "rpath wpath cpath" are expected for a daemon that serve
> > files, "ioctl" for example is more questionable. could you explain
> > quickly why or where ftpd needs them ?
>
> Pretty sure that "ioctl" promise can be replaced with "tty".
>
> retrieve() -> ftpd_popen() -> ls_main()
>
> /usr/src/bin/ls/ls_main.c:121 contains a call to
> "ioctl(STDOUT_FILENO, TIOCGWINSZ, &win)".
>
> I'm a bit worried about this execv() call in popen.c:143 in ftpd_popen()
>
> Are you sure this can't be reached?
>
> Otherwise an "exec" promise would probably also be needed.
>
No I'm not, see updated diff below. :)
Thanks for the hint.
--f.
Index: monitor.c
===================================================================
RCS file: /cvs/src/libexec/ftpd/monitor.c,v
retrieving revision 1.23
diff -u -r1.23 monitor.c
--- monitor.c 16 Nov 2015 17:31:14 -0000 1.23
+++ monitor.c 3 Apr 2016 18:44:50 -0000
@@ -193,6 +193,10 @@
endpwent();
close(fd_slave);
+
+ if (pledge("stdio", NULL) == -1)
+ fatalx("pledge");
+
return (1);
}
@@ -302,6 +306,11 @@
case AUTH_SLAVE:
/* User-privileged slave */
debugmsg("user-privileged slave started");
+
+ if (pledge("stdio rpath wpath cpath inet getpw
sendfd recvfd tty proc exec",
+ NULL) == -1) {
+ fatalx("pledge");
+ }
return;
/* NOTREACHED */
case AUTH_MONITOR:
@@ -311,6 +320,11 @@
setproctitle("%s: [priv post-auth]",
remotehost);
slavequit = 1;
+
+ if (pledge("stdio inet dns inet sendfd proc",
+ NULL) == -1) {
+ fatalx("pledge");
+ }
send_data(fd_slave, &slavequit,
sizeof(slavequit));
