summaryrefslogtreecommitdiff
path: root/usr.sbin/slowcgi
diff options
context:
space:
mode:
authorFlorian Obser <florian@cvs.openbsd.org>2015-11-05 19:15:23 +0000
committerFlorian Obser <florian@cvs.openbsd.org>2015-11-05 19:15:23 +0000
commit4c64afcbe21f0a75f61fad9b003ebd0dcf01cf95 (patch)
tree9abf72aebc02d162ff56e0165ac59c6ebf50c2bf /usr.sbin/slowcgi
parent976f76da9b349667e73abbc413ad2110f9f0fb95 (diff)
pledge(2) for slowcgi.
After initialization slowcgi accepts from a AF_UNIX socket, forks and execs. After fork we only need to close(2), chdir(2) and exec. OK benno@
Diffstat (limited to 'usr.sbin/slowcgi')
-rw-r--r--usr.sbin/slowcgi/slowcgi.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/slowcgi/slowcgi.c b/usr.sbin/slowcgi/slowcgi.c
index 24468a8c561..5bf8eb61767 100644
--- a/usr.sbin/slowcgi/slowcgi.c
+++ b/usr.sbin/slowcgi/slowcgi.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: slowcgi.c,v 1.46 2015/11/05 19:14:56 florian Exp $ */
+/* $OpenBSD: slowcgi.c,v 1.47 2015/11/05 19:15:22 florian Exp $ */
/*
* Copyright (c) 2013 David Gwynne <dlg@openbsd.org>
* Copyright (c) 2013 Florian Obser <florian@openbsd.org>
@@ -336,6 +336,9 @@ main(int argc, char *argv[])
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
lerr(1, "unable to revoke privs");
+ if (pledge("stdio rpath unix proc exec", NULL) == -1)
+ lerr(1, "pledge");
+
SLIST_INIT(&slowcgi_proc.requests);
event_init();
@@ -883,6 +886,8 @@ exec_cgi(struct request *c)
return;
case 0:
/* Child process */
+ if (pledge("stdio rpath exec", NULL) == -1)
+ lerr(1, "pledge");
close(s_in[0]);
close(s_out[0]);
close(s_err[0]);