From a01c707b33fea7fce7f0eab27d61d9fe6eda7cc1 Mon Sep 17 00:00:00 2001 From: bluhm Date: Thu, 15 Oct 2015 20:14:23 +0000 Subject: [PATCH] Pledge login_token with "stdio rpath wpath cpath fattr getpw tty". OK deraadt@ --- libexec/login_token/login_token.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libexec/login_token/login_token.c b/libexec/login_token/login_token.c index 1f84e823906..668baaf14dd 100644 --- a/libexec/login_token/login_token.c +++ b/libexec/login_token/login_token.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_token.c,v 1.11 2013/12/03 01:29:00 deraadt Exp $ */ +/* $OpenBSD: login_token.c,v 1.12 2015/10/15 20:14:23 bluhm Exp $ */ /*- * Copyright (c) 1995, 1996 Berkeley Software Design, Inc. All rights reserved. @@ -81,6 +81,9 @@ main(int argc, char *argv[]) if (setrlimit(RLIMIT_CORE, &cds) < 0) syslog(LOG_ERR, "couldn't set core dump size to 0: %m"); + if (pledge("stdio rpath wpath cpath fattr getpw tty", NULL) == -1) + err(1, "pledge"); + (void)sigprocmask(SIG_BLOCK, &blockset, NULL); if (token_init(argv[0]) < 0) { syslog(LOG_ERR, "unknown token type"); -- 2.20.1