Tame syslogd privsep child with "stdio rpath unix inet recvfd".

author bluhm <bluhm@openbsd.org>

Fri, 9 Oct 2015 12:07:32 +0000 (12:07 +0000)

committer bluhm <bluhm@openbsd.org>

Fri, 9 Oct 2015 12:07:32 +0000 (12:07 +0000)
author bluhm <bluhm@openbsd.org>
Fri, 9 Oct 2015 12:07:32 +0000 (12:07 +0000)
committer bluhm <bluhm@openbsd.org>
Fri, 9 Oct 2015 12:07:32 +0000 (12:07 +0000)
diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c

index dbb557c..41d64df 100644 (file)
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: syslogd.c,v 1.190 2015/09/29 03:19:23 guenther Exp $  */
+/*     $OpenBSD: syslogd.c,v 1.191 2015/10/09 12:07:32 bluhm Exp $     */
  
  /*
   * Copyright (c) 1983, 1988, 1993, 1994
@@ -593,6 +593,9 @@ main(int argc, char *argv[])
         if (priv_init(ConfFile, NoDNS, lockpipe[1], nullfd, argv) < 0)
                 errx(1, "unable to privsep");
  
+       if (tame("stdio rpath unix inet recvfd", NULL) == -1)
+               err(1, "tame");
+
         /* Process is now unprivileged and inside a chroot */
         event_init();
author	bluhm <bluhm@openbsd.org>
	Fri, 9 Oct 2015 12:07:32 +0000 (12:07 +0000)
committer	bluhm <bluhm@openbsd.org>
	Fri, 9 Oct 2015 12:07:32 +0000 (12:07 +0000)