diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2015-12-08 03:21:10 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2015-12-08 03:21:10 +0000 |
| commit | acb418c80566decc9baeba027ae53bcfb8714070 (patch) | |
| tree | d09b653ea634f5fc5fa1fd0ce7e42cd2ef2f9ac8 /libexec | |
| parent | 4b154a643b4ef5a4448fd2e5b4d8e2e11d596eb5 (diff) | |
Initially pledge spamd
All the work done by Ricardo Mestre <serial@helheim.mooo.com> - Thanks.
Diffstat (limited to 'libexec')
| -rw-r--r-- | libexec/spamd/grey.c | 8 | ||||
| -rw-r--r-- | libexec/spamd/spamd.c | 36 |
2 files changed, 27 insertions, 17 deletions
diff --git a/libexec/spamd/grey.c b/libexec/spamd/grey.c index 6cc3b2164cd..9407a03f464 100644 --- a/libexec/spamd/grey.c +++ b/libexec/spamd/grey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: grey.c,v 1.60 2015/11/29 06:51:20 deraadt Exp $ */ +/* $OpenBSD: grey.c,v 1.61 2015/12/08 03:21:09 beck Exp $ */ /* * Copyright (c) 2004-2006 Bob Beck. All rights reserved. @@ -1018,7 +1018,7 @@ drop_privs(void) } } -static void +void check_spamd_db(void) { HASHINFO hashinfo; @@ -1045,7 +1045,6 @@ check_spamd_db(void) exit(1); } close(i); - drop_privs(); return; break; default: @@ -1056,7 +1055,6 @@ check_spamd_db(void) } db->sync(db, 0); db->close(db); - drop_privs(); } @@ -1065,7 +1063,7 @@ greywatcher(void) { struct sigaction sa; - check_spamd_db(); + drop_privs(); startup = time(NULL); db_pid = fork(); diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c index 806161d589e..bdc22b9ec8d 100644 --- a/libexec/spamd/spamd.c +++ b/libexec/spamd/spamd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spamd.c,v 1.134 2015/12/05 20:32:53 henning Exp $ */ +/* $OpenBSD: spamd.c,v 1.135 2015/12/08 03:21:09 beck Exp $ */ /* * Copyright (c) 2015 Henning Brauer <henning@openbsd.org> @@ -112,6 +112,7 @@ void getcaddr(struct con *); void gethelo(char *, size_t, char *); int read_configline(FILE *); void spamd_tls_init(char *, char *); +void check_spamd_db(void); char hostname[HOST_NAME_MAX+1]; struct syslog_data sdata = SYSLOG_DATA_INIT; @@ -1353,9 +1354,21 @@ main(int argc, char *argv[]) greylist ? " (greylist)" : "", (syncrecv || syncsend) ? " (sync)" : ""); - if (!greylist) + if (syncsend || syncrecv) { + syncfd = sync_init(sync_iface, sync_baddr, sync_port); + if (syncfd == -1) + err(1, "sync init"); + } + + if ((pw = getpwnam("_spamd")) == NULL) + errx(1, "no such user _spamd"); + + if (!greylist) { maxblack = maxcon; - else if (maxblack > maxcon) + + if (pledge("stdio rpath inet proc id", NULL) == -1) + err(1, "pledge"); + } else if (maxblack > maxcon) usage(); rlp.rlim_cur = rlp.rlim_max = maxcon + 15; @@ -1421,15 +1434,6 @@ main(int argc, char *argv[]) if (bind(conflisten, (struct sockaddr *)&lin, sizeof lin) == -1) err(1, "bind local"); - if (syncsend || syncrecv) { - syncfd = sync_init(sync_iface, sync_baddr, sync_port); - if (syncfd == -1) - err(1, "sync init"); - } - - if ((pw = getpwnam("_spamd")) == NULL) - errx(1, "no such user _spamd"); - if (debug == 0) { if (daemon(1, 1) == -1) err(1, "daemon"); @@ -1442,6 +1446,11 @@ main(int argc, char *argv[]) exit(1); } + check_spamd_db(); + + if (pledge("stdio rpath wpath flock inet proc exec id", NULL) == -1) + err(1, "pledge"); + maxblack = (maxblack >= maxcon) ? maxcon - 100 : maxblack; if (maxblack < 0) maxblack = 0; @@ -1510,6 +1519,9 @@ jail: setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) err(1, "failed to drop privs"); + if (pledge("stdio inet", NULL) == -1) + err(1, "pledge"); + if (listen(smtplisten, 10) == -1) err(1, "listen"); |