diff options
| -rw-r--r-- | libexec/spamd/grey.c | 7 | ||||
| -rw-r--r-- | libexec/spamd/spamd.c | 63 |
2 files changed, 42 insertions, 28 deletions
diff --git a/libexec/spamd/grey.c b/libexec/spamd/grey.c index 9407a03f464..33fbf650f12 100644 --- a/libexec/spamd/grey.c +++ b/libexec/spamd/grey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: grey.c,v 1.61 2015/12/08 03:21:09 beck Exp $ */ +/* $OpenBSD: grey.c,v 1.62 2015/12/10 16:06:29 beck Exp $ */ /* * Copyright (c) 2004-2006 Bob Beck. All rights reserved. @@ -1065,6 +1065,11 @@ greywatcher(void) drop_privs(); + if (pledge("stdio rpath wpath inet flock proc exec", NULL) == -1) { + syslog_r(LOG_ERR, &sdata, "pledge failed (%m)"); + exit(1); + } + startup = time(NULL); db_pid = fork(); switch (db_pid) { diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c index bdc22b9ec8d..aafe0cd440b 100644 --- a/libexec/spamd/spamd.c +++ b/libexec/spamd/spamd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spamd.c,v 1.135 2015/12/08 03:21:09 beck Exp $ */ +/* $OpenBSD: spamd.c,v 1.136 2015/12/10 16:06:29 beck Exp $ */ /* * Copyright (c) 2015 Henning Brauer <henning@openbsd.org> @@ -111,7 +111,7 @@ char *loglists(struct con *); void getcaddr(struct con *); void gethelo(char *, size_t, char *); int read_configline(FILE *); -void spamd_tls_init(char *, char *); +void spamd_tls_init(void); void check_spamd_db(void); char hostname[HOST_NAME_MAX+1]; @@ -132,6 +132,12 @@ u_short cfg_port; u_short sync_port; struct tls_config *tlscfg; struct tls *tlsctx; +uint8_t *pubcert; +size_t pubcertlen; +uint8_t *privkey; +size_t privkeylen; +char *tlskeyfile = NULL; +char *tlscertfile = NULL; extern struct sdlist *blacklists; extern int pfdev; @@ -433,11 +439,11 @@ read_configline(FILE *config) } void -spamd_tls_init(char *keyfile, char *certfile) +spamd_tls_init() { - if (keyfile == NULL && certfile == NULL) + if (tlskeyfile == NULL && tlscertfile == NULL) return; - if (keyfile == NULL || certfile == NULL) + if (tlskeyfile == NULL || tlscertfile == NULL) errx(1, "need key and certificate for TLS"); if (tls_init() != 0) @@ -453,10 +459,10 @@ spamd_tls_init(char *keyfile, char *certfile) if (tls_config_set_ciphers(tlscfg, "compat") != 0) errx(1, "failed to set tls ciphers"); - if (tls_config_set_cert_file(tlscfg, certfile) != 0) - err(1, "could not load certificate %s", certfile); - if (tls_config_set_key_file(tlscfg, keyfile) != 0) - err(1, "could not load key %s", keyfile); + if (tls_config_set_cert_mem(tlscfg, pubcert, pubcertlen) == -1) + errx(1, "unable to set TLS certificate file %s", tlscertfile); + if (tls_config_set_key_mem(tlscfg, privkey, privkeylen) == -1) + errx(1, "unable to set TLS key file %s", tlskeyfile); if (tls_configure(tlsctx, tlscfg) != 0) errx(1, "failed to configure TLS - %s", tls_error(tlsctx)); @@ -1227,8 +1233,6 @@ main(int argc, char *argv[]) const char *errstr; char *sync_iface = NULL; char *sync_baddr = NULL; - char *tlskeyfile = NULL; - char *tlscertfile = NULL; tzset(); openlog_r("spamd", LOG_PID | LOG_NDELAY, LOG_DAEMON, &sdata); @@ -1371,6 +1375,13 @@ main(int argc, char *argv[]) } else if (maxblack > maxcon) usage(); + if (tlscertfile && + (pubcert=tls_load_file(tlscertfile, &pubcertlen, NULL)) == NULL) + errx(1, "unable to load TLS certificate file %s", tlscertfile); + if (tlskeyfile && + (privkey=tls_load_file(tlskeyfile, &privkeylen, NULL)) == NULL) + errx(1, "unable to load TLS key file %s", tlskeyfile); + rlp.rlim_cur = rlp.rlim_max = maxcon + 15; if (setrlimit(RLIMIT_NOFILE, &rlp) == -1) err(1, "setrlimit"); @@ -1448,9 +1459,6 @@ main(int argc, char *argv[]) check_spamd_db(); - if (pledge("stdio rpath wpath flock inet proc exec id", NULL) == -1) - err(1, "pledge"); - maxblack = (maxblack >= maxcon) ? maxcon - 100 : maxblack; if (maxblack < 0) maxblack = 0; @@ -1486,6 +1494,18 @@ main(int argc, char *argv[]) _exit(1); } close(trappipe[1]); + + if (chroot("/var/empty") == -1 || chdir("/") == -1) { + syslog(LOG_ERR, "cannot chdir to /var/empty."); + exit(1); + } + + if (pw) + if (setgroups(1, &pw->pw_gid) || + setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || + setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) + err(1, "failed to drop privs"); + goto jail; } /* parent - run greylister */ @@ -1506,22 +1526,11 @@ main(int argc, char *argv[]) } jail: - spamd_tls_init(tlskeyfile, tlscertfile); - - if (chroot("/var/empty") == -1 || chdir("/") == -1) { - syslog(LOG_ERR, "cannot chdir to /var/empty."); - exit(1); - } - - if (pw) - if (setgroups(1, &pw->pw_gid) || - setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || - setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) - err(1, "failed to drop privs"); - if (pledge("stdio inet", NULL) == -1) err(1, "pledge"); + spamd_tls_init(); + if (listen(smtplisten, 10) == -1) err(1, "listen"); |