diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2018-08-08 22:56:43 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2018-08-08 22:56:43 +0000 |
| commit | 372dce34665549fc872b0613ad2c9a7e604e408e (patch) | |
| tree | a08c245900d950e308efa3c6555a467899c1c96b /usr.sbin/ntpd | |
| parent | db1a707e52195d80e53d66d6202d723c2bf9ced6 (diff) | |
ntpd unveils the cert.pem "r" file (which is passed-over-socket to the
constraints process), and /usr/sbin/ntpd "x" to perform fork+exec operations.
Diffstat (limited to 'usr.sbin/ntpd')
| -rw-r--r-- | usr.sbin/ntpd/ntpd.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.sbin/ntpd/ntpd.c b/usr.sbin/ntpd/ntpd.c index 664fff4b2b6..cb6bc137082 100644 --- a/usr.sbin/ntpd/ntpd.c +++ b/usr.sbin/ntpd/ntpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.c,v 1.115 2018/08/04 11:07:14 mestre Exp $ */ +/* $OpenBSD: ntpd.c,v 1.116 2018/08/08 22:56:42 deraadt Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -244,6 +244,10 @@ main(int argc, char *argv[]) * Constraint processes are forked with certificates in memory, * then privdrop into chroot before speaking to the outside world. */ + if (unveil("/etc/ssl/cert.pem", "r") == -1) + err(1, "unveil"); + if (unveil("/usr/sbin/ntpd", "x") == -1) + err(1, "unveil"); if (pledge("stdio rpath inet settime proc exec id", NULL) == -1) err(1, "pledge"); |