diff options
| author | Ricardo Mestre <mestre@cvs.openbsd.org> | 2018-10-31 07:39:14 +0000 |
|---|---|---|
| committer | Ricardo Mestre <mestre@cvs.openbsd.org> | 2018-10-31 07:39:14 +0000 |
| commit | 54d5cb46157164d31a59414e58eab9a960756897 (patch) | |
| tree | 669cf8e70526356c478aa10fc97fa3e6b27018ef /usr.sbin/ifstated/ifstated.c | |
| parent | 46b448e3f27779034cea3a31ecf7df0be50d64b6 (diff) | |
ifstated(8) needs to load configfile from within the main loop, but also to
reload it on SIGHUP so unveil(2) it with read permissions. Additionally all
commands are exec'ed through /bin/sh instead of directly so we can just
unveil(2) /bin/sh with x perms.
OK deraadt@
Diffstat (limited to 'usr.sbin/ifstated/ifstated.c')
| -rw-r--r-- | usr.sbin/ifstated/ifstated.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/usr.sbin/ifstated/ifstated.c b/usr.sbin/ifstated/ifstated.c index 2ca60f794b5..32cf2f857cc 100644 --- a/usr.sbin/ifstated/ifstated.c +++ b/usr.sbin/ifstated/ifstated.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ifstated.c,v 1.61 2017/08/30 16:14:52 rob Exp $ */ +/* $OpenBSD: ifstated.c,v 1.62 2018/10/31 07:39:13 mestre Exp $ */ /* * Copyright (c) 2004 Marco Pfatschbacher <mpf@openbsd.org> @@ -31,6 +31,7 @@ #include <net/route.h> #include <netinet/in.h> +#include <paths.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -160,6 +161,10 @@ main(int argc, char *argv[]) &rtfilter, sizeof(rtfilter)) == -1) /* not fatal */ log_warn("%s: setsockopt tablefilter", __func__); + if (unveil(configfile, "r") == -1) + fatal("unveil"); + if (unveil(_PATH_BSHELL, "x") == -1) + fatal("unveil"); if (pledge("stdio rpath route proc exec", NULL) == -1) fatal("pledge"); @@ -326,7 +331,7 @@ external_exec(struct ifsd_external *external, int async) if (pid < 0) { log_warn("fork error"); } else if (pid == 0) { - execv("/bin/sh", argp); + execv(_PATH_BSHELL, argp); _exit(1); /* NOTREACHED */ } else { |