diff options
author | Florian Obser <florian@cvs.openbsd.org> | 2015-11-05 19:15:23 +0000 |
---|---|---|
committer | Florian Obser <florian@cvs.openbsd.org> | 2015-11-05 19:15:23 +0000 |
commit | 4c64afcbe21f0a75f61fad9b003ebd0dcf01cf95 (patch) | |
tree | 9abf72aebc02d162ff56e0165ac59c6ebf50c2bf /usr.sbin/slowcgi | |
parent | 976f76da9b349667e73abbc413ad2110f9f0fb95 (diff) |
pledge(2) for slowcgi.
After initialization slowcgi accepts from a AF_UNIX socket, forks and
execs. After fork we only need to close(2), chdir(2) and exec.
OK benno@
Diffstat (limited to 'usr.sbin/slowcgi')
-rw-r--r-- | usr.sbin/slowcgi/slowcgi.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/slowcgi/slowcgi.c b/usr.sbin/slowcgi/slowcgi.c index 24468a8c561..5bf8eb61767 100644 --- a/usr.sbin/slowcgi/slowcgi.c +++ b/usr.sbin/slowcgi/slowcgi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: slowcgi.c,v 1.46 2015/11/05 19:14:56 florian Exp $ */ +/* $OpenBSD: slowcgi.c,v 1.47 2015/11/05 19:15:22 florian Exp $ */ /* * Copyright (c) 2013 David Gwynne <dlg@openbsd.org> * Copyright (c) 2013 Florian Obser <florian@openbsd.org> @@ -336,6 +336,9 @@ main(int argc, char *argv[]) setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) lerr(1, "unable to revoke privs"); + if (pledge("stdio rpath unix proc exec", NULL) == -1) + lerr(1, "pledge"); + SLIST_INIT(&slowcgi_proc.requests); event_init(); @@ -883,6 +886,8 @@ exec_cgi(struct request *c) return; case 0: /* Child process */ + if (pledge("stdio rpath exec", NULL) == -1) + lerr(1, "pledge"); close(s_in[0]); close(s_out[0]); close(s_err[0]); |