diff options
| author | Florian Obser <florian@cvs.openbsd.org> | 2015-11-21 21:12:47 +0000 |
|---|---|---|
| committer | Florian Obser <florian@cvs.openbsd.org> | 2015-11-21 21:12:47 +0000 |
| commit | da58953db5b6ede3acf3adac4b606a193f16cefd (patch) | |
| tree | ca71e5b7c0b7060e4bffef4947be28d79be52dd0 /usr.sbin | |
| parent | 5e540448b71d18cfedecc4e824ff3814cde9c0d5 (diff) | |
pledge for nsd.
The main process handles zone transfers (inet, dns), writing and
creating of zone files (wpath, cpath) and starting of child
processes (proc).
Child processes answer queries from the internet.
"Looks good" to deraadt@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/nsd/nsd.c | 5 | ||||
| -rw-r--r-- | usr.sbin/nsd/server.c | 6 |
2 files changed, 11 insertions, 0 deletions
diff --git a/usr.sbin/nsd/nsd.c b/usr.sbin/nsd/nsd.c index 2420a6512e1..d2084b77ae2 100644 --- a/usr.sbin/nsd/nsd.c +++ b/usr.sbin/nsd/nsd.c @@ -1111,6 +1111,11 @@ main(int argc, char *argv[]) nsd.username)); } #endif /* HAVE_GETPWNAM */ + + if (pledge("stdio rpath wpath cpath dns inet proc", NULL) == -1) + error("pledge"); + + xfrd_make_tempdir(&nsd); #ifdef USE_ZONE_STATS options_zonestatnames_create(nsd.options); diff --git a/usr.sbin/nsd/server.c b/usr.sbin/nsd/server.c index 9ac2687885d..13093165098 100644 --- a/usr.sbin/nsd/server.c +++ b/usr.sbin/nsd/server.c @@ -301,6 +301,12 @@ restart_child_servers(struct nsd *nsd, region_type* region, netio_type* netio, /* the child need not be able to access the * nsd.db file */ namedb_close_udb(nsd->db); + + if (pledge("stdio rpath inet", NULL) == -1) { + log_msg(LOG_ERR, "pledge"); + exit(1); + } + nsd->pid = 0; nsd->child_count = 0; nsd->server_kind = nsd->children[i].kind; |