summaryrefslogtreecommitdiff
path: root/usr.sbin/snmpd
diff options
context:
space:
mode:
authorRicardo Mestre <mestre@cvs.openbsd.org>2018-11-13 07:29:08 +0000
committerRicardo Mestre <mestre@cvs.openbsd.org>2018-11-13 07:29:08 +0000
commitfc11923bd25db2bef5471c8392e28c723dcf09f5 (patch)
treedef0a469b509d5b8580850d2dadf811f93b7fdc9 /usr.sbin/snmpd
parenteae7a7f51c41c79bcb90f8ddd5a4e8f1c14017cf (diff)
Remove #if'ed 0 code around a broken pledge. Due to some ioctls and sysctls
pledge cannot be used, nevertheless since we now have unveil available we can use it to guarantee that in this particular case the snmpe process cannot access the filesystem at all, therefore close a big attack vector and achieve a great level of protection even without being able to use pledge. prodded by deraadt@
Diffstat (limited to 'usr.sbin/snmpd')
-rw-r--r--usr.sbin/snmpd/snmpe.c10
1 files changed, 1 insertions, 9 deletions
diff --git a/usr.sbin/snmpd/snmpe.c b/usr.sbin/snmpd/snmpe.c
index 0b0d39c8ea6..d8a02dd87c8 100644
--- a/usr.sbin/snmpd/snmpe.c
+++ b/usr.sbin/snmpd/snmpe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: snmpe.c,v 1.55 2018/11/05 11:59:05 mestre Exp $ */
+/* $OpenBSD: snmpe.c,v 1.56 2018/11/13 07:29:07 mestre Exp $ */
/*
* Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org>
@@ -124,14 +124,6 @@ snmpe_init(struct privsep *ps, struct privsep_proc *p, void *arg)
fatal("unveil");
if (unveil(NULL, NULL) == -1)
fatal("unveil");
-#if 0
- /*
- * XXX Refactoring required to move illegal ioctls and sysctls.
- * XXX See mps_* and if_mib in mib.c, etc.
- */
-BROKEN if (pledge("stdio inet route recvfd vminfo", NULL) == -1)
- fatal("pledge");
-#endif
}
void