From a3f0262752c0786acd822b767924c657c9e98071 Mon Sep 17 00:00:00 2001 From: deraadt Date: Tue, 26 Jul 2022 14:53:45 +0000 Subject: [PATCH] Only allow changing the domainname (from empty) before securelevel increase. libc YP support has a couple of places where the domainname is cached, and this results in wildly incoherent behaviour which could even be risky. If you want to change the domainname, you will have to reboot. ok beck miod --- sys/kern/kern_sysctl.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index f9d1f04a845..1be54b0c156 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sysctl.c,v 1.403 2022/07/05 15:06:16 visa Exp $ */ +/* $OpenBSD: kern_sysctl.c,v 1.404 2022/07/26 14:53:45 deraadt Exp $ */ /* $NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $ */ /*- @@ -486,8 +486,11 @@ kern_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, hostnamelen = newlen; return (error); case KERN_DOMAINNAME: - error = sysctl_tstring(oldp, oldlenp, newp, newlen, - domainname, sizeof(domainname)); + if (securelevel >= 1 && domainnamelen && newp) + error = EPERM; + else + error = sysctl_tstring(oldp, oldlenp, newp, newlen, + domainname, sizeof(domainname)); if (newp && !error) domainnamelen = newlen; return (error); -- 2.20.1