diff options
| author | Florian Obser <florian@cvs.openbsd.org> | 2021-05-01 11:53:07 +0000 |
|---|---|---|
| committer | Florian Obser <florian@cvs.openbsd.org> | 2021-05-01 11:53:07 +0000 |
| commit | a2395c6e69ed0443a73904970ddeca8a785362b8 (patch) | |
| tree | 6c90f8967b9b6559e215a4e1354615f2fca50b45 /sbin/slaacd | |
| parent | 53038ded2f926cea190c2f8e8aa2170e351bdc72 (diff) | |
Allow running in single user mode where /var/empty doesn't exist by
switching from chroot("/var/empty") to unveil("/", "").
This is just an extra pair of suspenders since these processes
pledge(2) to not access the filesystem.
OK deraadt
Diffstat (limited to 'sbin/slaacd')
| -rw-r--r-- | sbin/slaacd/engine.c | 9 | ||||
| -rw-r--r-- | sbin/slaacd/frontend.c | 9 |
2 files changed, 12 insertions, 6 deletions
diff --git a/sbin/slaacd/engine.c b/sbin/slaacd/engine.c index 07e55b98fbd..c39f50b33b7 100644 --- a/sbin/slaacd/engine.c +++ b/sbin/slaacd/engine.c @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.71 2021/03/21 18:25:24 florian Exp $ */ +/* $OpenBSD: engine.c,v 1.72 2021/05/01 11:53:06 florian Exp $ */ /* * Copyright (c) 2017 Florian Obser <florian@openbsd.org> @@ -364,11 +364,14 @@ engine(int debug, int verbose) if ((pw = getpwnam(SLAACD_USER)) == NULL) fatal("getpwnam"); - if (chroot(pw->pw_dir) == -1) - fatal("chroot"); if (chdir("/") == -1) fatal("chdir(\"/\")"); + if (unveil("/", "") == -1) + fatal("unveil(\"/\", \"\")"); + if (unveil(NULL, NULL) == -1) + fatal("unveil(NULL, NULL)"); + setproctitle("%s", "engine"); log_procinit("engine"); diff --git a/sbin/slaacd/frontend.c b/sbin/slaacd/frontend.c index 10fd6b8b9aa..3553595db4c 100644 --- a/sbin/slaacd/frontend.c +++ b/sbin/slaacd/frontend.c @@ -1,4 +1,4 @@ -/* $OpenBSD: frontend.c,v 1.55 2021/03/21 18:25:24 florian Exp $ */ +/* $OpenBSD: frontend.c,v 1.56 2021/05/01 11:53:06 florian Exp $ */ /* * Copyright (c) 2017 Florian Obser <florian@openbsd.org> @@ -145,11 +145,14 @@ frontend(int debug, int verbose) if ((pw = getpwnam(SLAACD_USER)) == NULL) fatal("getpwnam"); - if (chroot(pw->pw_dir) == -1) - fatal("chroot"); if (chdir("/") == -1) fatal("chdir(\"/\")"); + if (unveil("/", "") == -1) + fatal("unveil(\"/\", \"\")"); + if (unveil(NULL, NULL) == -1) + fatal("unveil(NULL, NULL)"); + setproctitle("%s", "frontend"); log_procinit("frontend"); |