diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-03 02:35:57 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-03 02:35:57 +0000 |
| commit | c6d68f0da924a2127d6bbc598b5371ebb207eb42 (patch) | |
| tree | 97542cf9ea342bd104c58310363d6400f4d96b02 | |
| parent | 21e922d96d89da7d4139d0870dcdce332a087744 (diff) | |
patch appears to work fully with tame "stdio rpath wpath cpath tmppath fattr".
in case of exploitation, no more network access, fork, execve, etc.
I wonder if we could use whitepath lists here - if it is reasonable to
limit operation in directories known early on?
| -rw-r--r-- | usr.bin/patch/patch.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/usr.bin/patch/patch.c b/usr.bin/patch/patch.c index d53bda30193..3f7c54cd5d7 100644 --- a/usr.bin/patch/patch.c +++ b/usr.bin/patch/patch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: patch.c,v 1.54 2014/12/13 10:31:07 tobias Exp $ */ +/* $OpenBSD: patch.c,v 1.55 2015/10/03 02:35:56 deraadt Exp $ */ /* * patch - a program to apply diffs to original files @@ -147,6 +147,9 @@ main(int argc, char *argv[]) const char *tmpdir; char *v; + if (tame("stdio rpath wpath cpath tmppath fattr", NULL) == -1) + perror("tame"); + setvbuf(stdout, NULL, _IOLBF, 0); setvbuf(stderr, NULL, _IOLBF, 0); for (i = 0; i < MAXFILEC; i++) |