Theo de Raadt wrote:
After pledge, 80% of the base programs were converted to pledge-assisted
priv-drop, because it was really obvious that "initialization code"
could
and should be moved earlier in the program, so that pledge (or multiple
pledge calls dropping permissions further) could be added to the
program.
Inside the group, we called this moving of initialization code to
earlier "hoisting".
Hoisting and cleanup can have very large benefits independent of implementing
pledge
or other security features.
I have seen programs shrink by almost 90% and gain functionality as a result.
In one case it -was- a program which ran with privileges equivalent to root.
As a byproduct of the cleanup we were later able to assure ourselves that the
result
needed no more changes to be as secure as we could make it.
geoff steckel
