Slowcgi. Because if someone could fool it into
running the wrong binary, the outcome may be
suboptimal.
============
diff --git usr.sbin/slowcgi/slowcgi.8 usr.sbin/slowcgi/slowcgi.8
index d3ab4030bed..f8f07630204 100644
--- usr.sbin/slowcgi/slowcgi.8
+++ usr.sbin/slowcgi/slowcgi.8
@@ -24,6 +24,7 @@
.Nm
.Op Fl d
.Op Fl p Ar path
+.Op Fl P Ar pledge
.Op Fl s Ar socket
.Op Fl u Ar user
.Sh DESCRIPTION
@@ -72,6 +73,9 @@ A
of
.Pa /
effectively disables the chroot.
+.It Fl P Ar pledge
+Restrict all spawned processes to the pledge
+.Ar pledge .
.It Fl s Ar socket
Create and bind to alternative local socket at
.Ar socket .
diff --git usr.sbin/slowcgi/slowcgi.c usr.sbin/slowcgi/slowcgi.c
index a9a90b2db1f..16cfbd1b80a 100644
--- usr.sbin/slowcgi/slowcgi.c
+++ usr.sbin/slowcgi/slowcgi.c
@@ -275,6 +275,7 @@ main(int argc, char *argv[])
struct passwd *pw;
struct stat sb;
int c, fd;
+ const char *execpledge = NULL;
const char *chrootpath = NULL;
const char *slowcgi_user = SLOWCGI_USER;
@@ -303,6 +304,9 @@ main(int argc, char *argv[])
case 'p':
chrootpath = optarg;
break;
+ case 'P':
+ execpledge = optarg;
+ break;
case 's':
fcgi_socket = optarg;
break;
@@ -353,7 +357,7 @@ main(int argc, char *argv[])
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
lerr(1, "unable to revoke privs");
- if (pledge("stdio rpath unix proc exec", NULL) == -1)
+ if (pledge("stdio rpath unix proc exec", execpledge) == -1)
lerr(1, "pledge");
SLIST_INIT(&slowcgi_proc.requests);
