On Thu, Jul 02, 2020 at 12:39:47PM -0600, Theo de Raadt wrote:
> The unveil("/", "x") is to support command executation:
Of course. Forgot that.
bluhm
Index: usr.sbin/sensorsd/sensorsd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/sensorsd/sensorsd.c,v
retrieving revision 1.66
diff -u -p -r1.66 sensorsd.c
--- usr.sbin/sensorsd/sensorsd.c 28 Jun 2019 13:32:50 -0000 1.66
+++ usr.sbin/sensorsd/sensorsd.c 2 Jul 2020 18:43:25 -0000
@@ -94,7 +94,7 @@ void reparse_cfg(int);
TAILQ_HEAD(sdlimhead_t, sdlim_t);
struct sdlimhead_t sdlims = TAILQ_HEAD_INITIALIZER(sdlims);
-char *configfile;
+char *configfile, *configdb;
volatile sig_atomic_t reload = 0;
int debug = 0;
@@ -125,10 +125,9 @@ main(int argc, char *argv[])
debug = 1;
break;
case 'f':
- configfile = optarg;
- if (access(configfile, R_OK) != 0)
- err(1, "access configuration file %s",
- configfile);
+ configfile = realpath(optarg, NULL);
+ if (configfile == NULL)
+ err(1, "configuration file %s", optarg);
break;
default:
usage();
@@ -143,9 +142,14 @@ main(int argc, char *argv[])
if (configfile == NULL)
if (asprintf(&configfile, "/etc/sensorsd.conf") == -1)
err(1, "out of memory");
+ if (asprintf(&configdb, "%s.db", configfile) == -1)
+ err(1, "out of memory");
+ chdir("/");
if (unveil(configfile, "r") == -1)
err(1, "unveil");
+ if (unveil(configdb, "r") == -1)
+ err(1, "unveil");
if (unveil("/", "x") == -1)
err(1, "unveil");
@@ -158,7 +162,7 @@ main(int argc, char *argv[])
parse_config(configfile);
- if (debug == 0 && daemon(0, 0) == -1)
+ if (debug == 0 && daemon(1, 0) == -1)
err(1, "unable to fork");
signal(SIGHUP, reparse_cfg);
