On Thu, Jul 02, 2020 at 12:39:47PM -0600, Theo de Raadt wrote: > The unveil("/", "x") is to support command executation:
Of course. Forgot that. bluhm Index: usr.sbin/sensorsd/sensorsd.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/sensorsd/sensorsd.c,v retrieving revision 1.66 diff -u -p -r1.66 sensorsd.c --- usr.sbin/sensorsd/sensorsd.c 28 Jun 2019 13:32:50 -0000 1.66 +++ usr.sbin/sensorsd/sensorsd.c 2 Jul 2020 18:43:25 -0000 @@ -94,7 +94,7 @@ void reparse_cfg(int); TAILQ_HEAD(sdlimhead_t, sdlim_t); struct sdlimhead_t sdlims = TAILQ_HEAD_INITIALIZER(sdlims); -char *configfile; +char *configfile, *configdb; volatile sig_atomic_t reload = 0; int debug = 0; @@ -125,10 +125,9 @@ main(int argc, char *argv[]) debug = 1; break; case 'f': - configfile = optarg; - if (access(configfile, R_OK) != 0) - err(1, "access configuration file %s", - configfile); + configfile = realpath(optarg, NULL); + if (configfile == NULL) + err(1, "configuration file %s", optarg); break; default: usage(); @@ -143,9 +142,14 @@ main(int argc, char *argv[]) if (configfile == NULL) if (asprintf(&configfile, "/etc/sensorsd.conf") == -1) err(1, "out of memory"); + if (asprintf(&configdb, "%s.db", configfile) == -1) + err(1, "out of memory"); + chdir("/"); if (unveil(configfile, "r") == -1) err(1, "unveil"); + if (unveil(configdb, "r") == -1) + err(1, "unveil"); if (unveil("/", "x") == -1) err(1, "unveil"); @@ -158,7 +162,7 @@ main(int argc, char *argv[]) parse_config(configfile); - if (debug == 0 && daemon(0, 0) == -1) + if (debug == 0 && daemon(1, 0) == -1) err(1, "unable to fork"); signal(SIGHUP, reparse_cfg);