On Sun, Apr 03, 2016 at 06:51:47PM +0200, Theo Buehler wrote: > > > + if (pledge("stdio rpath getpw proc wpath cpath > > > inet ioctl sendfd recvfd", > > > + NULL) == -1) { > > > + fatalx("pledge"); > > > + } > > > > whoa, still a big list of promises, and some are a bit unexpected for > > me. could you explain the need for them ? > > > > I mean, if "rpath wpath cpath" are expected for a daemon that serve > > files, "ioctl" for example is more questionable. could you explain > > quickly why or where ftpd needs them ? > > Pretty sure that "ioctl" promise can be replaced with "tty". > > retrieve() -> ftpd_popen() -> ls_main() > > /usr/src/bin/ls/ls_main.c:121 contains a call to > "ioctl(STDOUT_FILENO, TIOCGWINSZ, &win)". > > I'm a bit worried about this execv() call in popen.c:143 in ftpd_popen() > > Are you sure this can't be reached? > > Otherwise an "exec" promise would probably also be needed. >
No I'm not, see updated diff below. :) Thanks for the hint. --f. Index: monitor.c =================================================================== RCS file: /cvs/src/libexec/ftpd/monitor.c,v retrieving revision 1.23 diff -u -r1.23 monitor.c --- monitor.c 16 Nov 2015 17:31:14 -0000 1.23 +++ monitor.c 3 Apr 2016 18:44:50 -0000 @@ -193,6 +193,10 @@ endpwent(); close(fd_slave); + + if (pledge("stdio", NULL) == -1) + fatalx("pledge"); + return (1); } @@ -302,6 +306,11 @@ case AUTH_SLAVE: /* User-privileged slave */ debugmsg("user-privileged slave started"); + + if (pledge("stdio rpath wpath cpath inet getpw sendfd recvfd tty proc exec", + NULL) == -1) { + fatalx("pledge"); + } return; /* NOTREACHED */ case AUTH_MONITOR: @@ -311,6 +320,11 @@ setproctitle("%s: [priv post-auth]", remotehost); slavequit = 1; + + if (pledge("stdio inet dns inet sendfd proc", + NULL) == -1) { + fatalx("pledge"); + } send_data(fd_slave, &slavequit, sizeof(slavequit));