diff options
author | Jonathan Matthew <jmatthew@cvs.openbsd.org> | 2015-11-15 01:31:58 +0000 |
---|---|---|
committer | Jonathan Matthew <jmatthew@cvs.openbsd.org> | 2015-11-15 01:31:58 +0000 |
commit | 2fde2f7e9ee4be054f5a8fcc1121309f8daaac31 (patch) | |
tree | 7b039e4be59651c8ed398127640972f982e2c25c | |
parent | b8b7f40768251382a7ea30f00daa778c34969a20 (diff) |
pledge for ypldap is easy because it's purely a network program.
One process talks to yp clients, one talks to ldap servers, one does dns.
ok deraadt@
-rw-r--r-- | usr.sbin/ypldap/ldapclient.c | 5 | ||||
-rw-r--r-- | usr.sbin/ypldap/ypldap.c | 5 | ||||
-rw-r--r-- | usr.sbin/ypldap/ypldap_dns.c | 5 |
3 files changed, 12 insertions, 3 deletions
diff --git a/usr.sbin/ypldap/ldapclient.c b/usr.sbin/ypldap/ldapclient.c index 3cb1a0701f3..07388d53772 100644 --- a/usr.sbin/ypldap/ldapclient.c +++ b/usr.sbin/ypldap/ldapclient.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ldapclient.c,v 1.32 2015/01/16 06:40:22 deraadt Exp $ */ +/* $OpenBSD: ldapclient.c,v 1.33 2015/11/15 01:31:57 jmatthew Exp $ */ /* * Copyright (c) 2008 Alexander Schrijver <aschrijver@openbsd.org> @@ -404,6 +404,9 @@ ldapclient(int pipe_main2client[2]) #warning disabling privilege revocation in DEBUG mode #endif + if (pledge("stdio inet", NULL) == -1) + fatal("pledge"); + event_init(); signal(SIGPIPE, SIG_IGN); signal_set(&ev_sigint, SIGINT, client_sig_handler, NULL); diff --git a/usr.sbin/ypldap/ypldap.c b/usr.sbin/ypldap/ypldap.c index 327a78315ae..331b6b0d08a 100644 --- a/usr.sbin/ypldap/ypldap.c +++ b/usr.sbin/ypldap/ypldap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ypldap.c,v 1.16 2015/11/02 10:06:06 jmatthew Exp $ */ +/* $OpenBSD: ypldap.c,v 1.17 2015/11/15 01:31:57 jmatthew Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -608,6 +608,9 @@ main(int argc, char *argv[]) #warning disabling privilege revocation in debug mode #endif + if (pledge("stdio inet", NULL) == -1) + fatal("pledge"); + bzero(&tv, sizeof(tv)); evtimer_set(&ev_timer, main_init_timer, &env); evtimer_add(&ev_timer, &tv); diff --git a/usr.sbin/ypldap/ypldap_dns.c b/usr.sbin/ypldap/ypldap_dns.c index 24483861715..368af3742c4 100644 --- a/usr.sbin/ypldap/ypldap_dns.c +++ b/usr.sbin/ypldap/ypldap_dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ypldap_dns.c,v 1.8 2015/01/16 06:40:22 deraadt Exp $ */ +/* $OpenBSD: ypldap_dns.c,v 1.9 2015/11/15 01:31:57 jmatthew Exp $ */ /* * Copyright (c) 2003-2008 Henning Brauer <henning@openbsd.org> @@ -96,6 +96,9 @@ ypldap_dns(int pipe_ntp[2], struct passwd *pw) fatal("can't drop privileges"); endservent(); + if (pledge("stdio dns", NULL) == -1) + fatal("pledge"); + event_init(); signal_set(&ev_sigint, SIGINT, dns_sig_handler, NULL); signal_set(&ev_sigterm, SIGTERM, dns_sig_handler, NULL); |