artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 824e7fc)
If loading the CA certificates at startup had failed, the syslogd
authorbluhm <bluhm@openbsd.org>
Sat, 24 Oct 2015 12:49:37 +0000 (12:49 +0000)
committerbluhm <bluhm@openbsd.org>
Sat, 24 Oct 2015 12:49:37 +0000 (12:49 +0000)
child tried to load the default CA file when it was connecting to
a TLS server.  The latter has never worked as the child is chrooted
to /var/empty.  Set the CA storage to an empty string to avoid this
behavior.  As a benefit pledge "rpath" can be removed.
OK benno@

usr.sbin/syslogd/syslogd.c patch | blob | history

diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c
index e980620..e9fc07e 100644 (file)
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: syslogd.c,v 1.200 2015/10/23 16:28:52 bluhm Exp $     */
+/*     $OpenBSD: syslogd.c,v 1.201 2015/10/24 12:49:37 bluhm Exp $     */
 
 /*
  * Copyright (c) 1983, 1988, 1993, 1994
@@ -550,6 +550,7 @@ main(int argc, char *argv[])
                        tls_config_insecure_noverifyname(client_config);
                } else {
                        struct stat sb;
+                       int fail = 1;
 
                        fd = -1;
                        p = NULL;
@@ -567,9 +568,13 @@ main(int argc, char *argv[])
                            sb.st_size) == -1) {
                                logerrorx("tls_config_set_ca_mem");
                        } else {
+                               fail = 0;
                                logdebug("CAfile %s, size %lld\n",
                                    CAfile, sb.st_size);
                        }
+                       /* avoid reading default certs in chroot */
+                       if (fail)
+                               tls_config_set_ca_mem(client_config, "", 0);
                        free(p);
                        close(fd);
                }
@@ -700,7 +705,7 @@ main(int argc, char *argv[])
        if (priv_init(ConfFile, NoDNS, lockpipe[1], nullfd, argv) < 0)
                errx(1, "unable to privsep");
 
-       if (pledge("stdio rpath unix inet recvfd", NULL) == -1)
+       if (pledge("stdio unix inet recvfd", NULL) == -1)
                err(1, "pledge");
 
        /* Process is now unprivileged and inside a chroot */
OpenBSD src
by Ahmet Artu Yildirim