With the recent change by deraadt@ to introduce kern.nosuidcoredump=3,

we don't need the horrible debug hack anymore that disabled privdrop
and chroot to get core dumps of privsep processes.  No functional
change for the normal binary, only if it is compiled with the
non-default -DDEBUG option.

diff --git a/sbin/iked/proc.c b/sbin/iked/proc.c
index d1be2c6..48f88ea 100644 (file)
--- a/sbin/iked/proc.c
+++ b/sbin/iked/proc.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: proc.c,v 1.14 2014/04/22 12:00:03 reyk Exp $  */
+/*     $OpenBSD: proc.c,v 1.15 2014/05/04 10:35:24 reyk Exp $  */
 
 /*
  * Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -372,31 +372,19 @@ proc_run(struct privsep *ps, struct privsep_proc *p,
        else
                root = pw->pw_dir;
 
-#ifndef DEBUG
        if (chroot(root) == -1)
                fatal("proc_run: chroot");
        if (chdir("/") == -1)
                fatal("proc_run: chdir(\"/\")");
-#else
-#warning disabling privilege revocation and chroot in DEBUG MODE
-       if (p->p_chroot != NULL) {
-               if (chroot(root) == -1)
-                       fatal("proc_run: chroot");
-               if (chdir("/") == -1)
-                       fatal("proc_run: chdir(\"/\")");
-       }
-#endif
 
        privsep_process = p->p_id;
 
        setproctitle("%s", p->p_title);
 
-#ifndef DEBUG
        if (setgroups(1, &pw->pw_gid) ||
            setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
            setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
                fatal("proc_run: cannot drop privileges");
-#endif
 
        /* Fork child handlers */
        for (n = 1; n < ps->ps_instances[p->p_id]; n++) {

diff --git a/usr.sbin/relayd/proc.c b/usr.sbin/relayd/proc.c
index 79d188b..0c64a7d 100644 (file)
--- a/usr.sbin/relayd/proc.c
+++ b/usr.sbin/relayd/proc.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: proc.c,v 1.11 2014/04/20 14:48:29 reyk Exp $  */
+/*     $OpenBSD: proc.c,v 1.12 2014/05/04 10:32:32 reyk Exp $  */
 
 /*
  * Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -372,31 +372,19 @@ proc_run(struct privsep *ps, struct privsep_proc *p,
        else
                root = pw->pw_dir;
 
-#ifndef DEBUG
        if (chroot(root) == -1)
                fatal("proc_run: chroot");
        if (chdir("/") == -1)
                fatal("proc_run: chdir(\"/\")");
-#else
-#warning disabling privilege revocation and chroot in DEBUG MODE
-       if (p->p_chroot != NULL) {
-               if (chroot(root) == -1)
-                       fatal("proc_run: chroot");
-               if (chdir("/") == -1)
-                       fatal("proc_run: chdir(\"/\")");
-       }
-#endif
 
        privsep_process = p->p_id;
 
        setproctitle("%s", p->p_title);
 
-#ifndef DEBUG
        if (setgroups(1, &pw->pw_gid) ||
            setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
            setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
                fatal("proc_run: cannot drop privileges");
-#endif
 
        /* Fork child handlers */
        for (n = 1; n < ps->ps_instances[p->p_id]; n++) {

diff --git a/usr.sbin/snmpd/proc.c b/usr.sbin/snmpd/proc.c
index 93fdac6..640bdc2 100644 (file)
--- a/usr.sbin/snmpd/proc.c
+++ b/usr.sbin/snmpd/proc.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: proc.c,v 1.6 2014/04/21 19:47:27 reyk Exp $   */
+/*     $OpenBSD: proc.c,v 1.7 2014/05/04 10:34:35 reyk Exp $   */
 
 /*
  * Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -372,31 +372,19 @@ proc_run(struct privsep *ps, struct privsep_proc *p,
        else
                root = pw->pw_dir;
 
-#ifndef DEBUG
        if (chroot(root) == -1)
                fatal("proc_run: chroot");
        if (chdir("/") == -1)
                fatal("proc_run: chdir(\"/\")");
-#else
-#warning disabling privilege revocation and chroot in DEBUG MODE
-       if (p->p_chroot != NULL) {
-               if (chroot(root) == -1)
-                       fatal("proc_run: chroot");
-               if (chdir("/") == -1)
-                       fatal("proc_run: chdir(\"/\")");
-       }
-#endif
 
        privsep_process = p->p_id;
 
        setproctitle("%s", p->p_title);
 
-#ifndef DEBUG
        if (setgroups(1, &pw->pw_gid) ||
            setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
            setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
                fatal("proc_run: cannot drop privileges");
-#endif
 
        /* Fork child handlers */
        for (n = 1; n < ps->ps_instances[p->p_id]; n++) {