Slowcgi. Because if someone could fool it into running the wrong binary, the outcome may be suboptimal.
============ diff --git usr.sbin/slowcgi/slowcgi.8 usr.sbin/slowcgi/slowcgi.8 index d3ab4030bed..f8f07630204 100644 --- usr.sbin/slowcgi/slowcgi.8 +++ usr.sbin/slowcgi/slowcgi.8 @@ -24,6 +24,7 @@ .Nm .Op Fl d .Op Fl p Ar path +.Op Fl P Ar pledge .Op Fl s Ar socket .Op Fl u Ar user .Sh DESCRIPTION @@ -72,6 +73,9 @@ A of .Pa / effectively disables the chroot. +.It Fl P Ar pledge +Restrict all spawned processes to the pledge +.Ar pledge . .It Fl s Ar socket Create and bind to alternative local socket at .Ar socket . diff --git usr.sbin/slowcgi/slowcgi.c usr.sbin/slowcgi/slowcgi.c index a9a90b2db1f..16cfbd1b80a 100644 --- usr.sbin/slowcgi/slowcgi.c +++ usr.sbin/slowcgi/slowcgi.c @@ -275,6 +275,7 @@ main(int argc, char *argv[]) struct passwd *pw; struct stat sb; int c, fd; + const char *execpledge = NULL; const char *chrootpath = NULL; const char *slowcgi_user = SLOWCGI_USER; @@ -303,6 +304,9 @@ main(int argc, char *argv[]) case 'p': chrootpath = optarg; break; + case 'P': + execpledge = optarg; + break; case 's': fcgi_socket = optarg; break; @@ -353,7 +357,7 @@ main(int argc, char *argv[]) setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) lerr(1, "unable to revoke privs"); - if (pledge("stdio rpath unix proc exec", NULL) == -1) + if (pledge("stdio rpath unix proc exec", execpledge) == -1) lerr(1, "pledge"); SLIST_INIT(&slowcgi_proc.requests);