CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2015/10/16 12:29:05 Modified files: usr.sbin/rebound: rebound.c Log message: two phase handling for tcp so that slow connects don't stall the process
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2015/10/16 12:40:49 Modified files: usr.bin/ssh: ssh.c Log message: better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname canonicalisation - treat them as already canonical and remove the trailing '.' before matching ssh_config; ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 11:03:31 Modified files: sys/kern : kern_pledge.c Log message: Repair the pty check for kernels without pty support.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: schwa...@cvs.openbsd.org2015/10/16 13:21:05 Modified files: regress/usr.bin/mandoc/mdoc/Bl: column.in column.out_ascii column.out_lint Log message: test mixing of tabs with Ta
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2015/10/16 12:38:53 Modified files: usr.sbin/rebound: rebound.c Log message: deraadt tells me i'm supposed to check if connect() actually worked.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2015/10/16 13:07:24 Modified files: sys/kern : kern_sched.c Log message: Make sched_barrier() use its own task queue to avoid deadlocks. Prevent a deadlock from occuring when intr_barrier() is called from a non-primary CPU in the watchdog task, also enqueued on ``systq''. ok kettenis@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2015/10/16 11:07:24 Modified files: usr.bin/ssh: scp.c Log message: 0 -> NULL when comparing with a char*. ok dtucker@, djm@.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2015/10/16 11:56:07 Modified files: usr.bin/mail : aux.c cmd2.c cmd3.c fio.c lex.c list.c names.c popen.c strings.c temp.c vars.c Log message: Modernize allocation by: * removing unneeded casts of void* return values * replacing varied and creative error messages with the allocation function's name * replacing errx() with err() so that the errno string is reported ok beck@, jung@, millert@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2015/10/16 12:21:43 Modified files: usr.bin/mail : fio.c Log message: Cast isspace() argument to unsigned char. ok jca@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2015/10/16 11:14:04 Modified files: bin/ksh: emacs.c Log message: Cast iscntrl()'s arg to unsigned char. ok nicm@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: tob...@cvs.openbsd.org 2015/10/16 10:54:39 Modified files: distrib/common : elfrd_size.c lib/libc/gen : nlist.c usr.sbin/installboot: i386_nlist.c Log message: Check file sizes only for regular files. The current code breaks savecore due to its kvm handling. ok deraadt
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: flor...@cvs.openbsd.org 2015/10/16 12:17:12 Modified files: sbin/ping6 : ping6.8 ping6.c Log message: Move -t and -w functionality to -a. Both flags are in the way for a merge with ping(8). Let's see if we can shove every weird and special v6 functionality into -a. suggested by and OK sthen@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2015/10/16 12:47:53 Modified files: usr.sbin/rebound: rebound.c Log message: life is simpler if all requests go in the fifo, and then just remove them in the error case instead of duplicating code.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: ajacou...@cvs.openbsd.org 2015/10/16 13:55:39 Modified files: usr.sbin/sysmerge: sysmerge.8 sysmerge.sh Log message: Drop usage of TMPDIR. While here, stop refering to /tmp/sysmerge.XX, that's a script internal we don't need to know about.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: ajacou...@cvs.openbsd.org 2015/10/16 14:12:00 Modified files: etc/rc.d : rc.subr Log message: Missing local. ok schwarze@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2015/10/16 14:12:06 Modified files: usr.sbin/rebound: rebound.c Log message: naddy would like the child to exit when the parent dies. hook up a pipe between them and watch for eof in the child.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2015/10/16 14:25:09 Modified files: usr.sbin/rebound: rebound.c Log message: save some file descriptors. instead of a pipe, use kevent to watch parent
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: st...@cvs.openbsd.org 2015/10/16 15:13:33 Modified files: usr.sbin/smtpd : ioev.c smtp_session.c ssl.c Log message: Use SSL_get_version() not SSL_get_cipher_version(); the former gives the TLS version used for the connection, the latter gives "the SSL/TLS protocol version that first defined the cipher". Fixes "TLS version=TLSv1/SSLv3" in received/log lines. ok millert@ "I was going to commit this today, so yes definitely" ok gilles@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: schwa...@cvs.openbsd.org2015/10/16 15:35:17 Modified files: usr.bin/mandoc : main.c Log message: Once apropos(1) or man(1) are done with database access, or if the program was called as mandoc(1) in the first place, remove "flock" from our pledge(2) before entering the parsers and formatters. OK millert@ deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2015/10/16 14:43:27 Modified files: usr.sbin/route6d: route6d.c Log message: Unbreak route6d. Instead of breaking sendmsg(2) by adding unneeded space to its cmsg item, add space to the cmsg used by recvmsg(2), where it will be used to get the incoming packet hop limit. Reported by several over the last years, and more recently by 'bsdsx', who tested it against NetBSD route6d. Also works against Quagga ripng. ok deraadt@ sthen@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 13:33:15 Modified files: distrib/sets/lists/base: mi Log message: sync
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: flor...@cvs.openbsd.org 2015/10/16 14:11:59 Modified files: sbin/ping6 : ping6.8 Log message: No longer talk about -b flag, it's gone.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: gil...@cvs.openbsd.org 2015/10/16 14:54:56 Modified files: usr.sbin/smtpd : smtpd.c Log message: add flock to pledge request, needed by delivery_filename ok millert@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: tob...@cvs.openbsd.org 2015/10/16 01:37:46 Modified files: games/hack : config.h hh Log message: Disable !-command to escape to a shell. You are supposed to play, press ^Z, or open up another terminal if there is something else to do. ok deraadt
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: tob...@cvs.openbsd.org 2015/10/16 01:33:47 Modified files: usr.bin/patch : Makefile patch.c pch.c pch.h Added files: usr.bin/patch : ed.c ed.h Log message: Add native support for ed-style diffs. No need to pledge "proc exec" anymore. ok deraadt
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: tob...@cvs.openbsd.org 2015/10/16 01:40:13 Modified files: lib/libc/gen : nlist.c Log message: Validate parsed ELF values to prevent out of boundary accesses. While at it, return proper return value when encountering a stripped binary. Instead of -1 (illegal file), it should be the amount of symbols that were tried to be resolved. ok millert
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 00:42:02 Modified files: sys/kern : kern_pledge.c Log message: FIOSETOWN/FIOGETOWN were added to "ioctl", but study finds no programs currently needing them. delete 'em for now. ok doug
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2015/10/16 00:40:53 Modified files: sys/kern : kern_pledge.c Log message: Add TIOCCBRK and TIOCSDTR to the whitelist for pledge ioctl. cu(1) uses these. ok deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 01:01:53 Modified files: usr.bin/cu : cu.c Log message: doug and I think the kernel has enough features to support pledge "stdio rpath wpath cpath getpw proc exec tty" now. It will be hard to drop many of those features unless cu becomes privsep for the "upload" commands.
Re: CVS: cvs.openbsd.org: src
Now someone should go in there and fix the ^Z support, because it is broken. ksh makes it seem to work right, but running it in csh shows the tty is not being restored to the correct mode. > Modified files: > games/hack : config.h hh > > Log message: > Disable !-command to escape to a shell. You are supposed to play, press > ^Z, or open up another terminal if there is something else to do. > > ok deraadt
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2015/10/16 04:04:56 Modified files: sys/dev/pci: if_iwm.c if_iwmreg.h Log message: In iwm(4), correctly size and map the mbuf used for large firmware commands. Fixes occasional firmware errors while bringing the interface up or scanning. ok phessler@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2015/10/16 04:29:55 Modified files: sys/dev/pci: if_iwm.c Log message: Oops, committed old version of previous diff with a typo in it: NLL -> NULL
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: b...@cvs.openbsd.org2015/10/16 06:41:29 Modified files: lib/libssl/src/crypto/bn: bn.h Log message: actually include the prerequisite dependency for BIO instead of doing nastyness
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2015/10/16 06:17:58 Modified files: sys/dev/pci: if_iwm.c Log message: Put some iwm(4) debug code into #ifdef IWM_DEBUG. ok mpi@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2015/10/16 06:17:38 Modified files: sys/dev/pci: if_iwm.c Log message: Clean up iwm(4) scanning logic a bit: Reset sc_scanband in callers of iwm_mvm_scan_request() and always call ieee80211_end_scan() when done. ok mpi@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2015/10/16 06:36:03 Modified files: sys/net: route.c Log message: If a DOWN route entry is passed to a L2 output function, be dumb and simply use it. In most of the cases doing a route lookup at this point is a noop as it will return you the same DOWN entry you already have. The exception is the case where the route has been removed from tree since your kernel looked for it. So what? It's just a blue packet. Note that this "exception" can only happen if your sending path does not run under the KERNEL_LOCK. ok mikeb@
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: st...@cvs.openbsd.org 2015/10/16 07:45:46 Modified files: . : ftplist Log message: sync
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: st...@cvs.openbsd.org 2015/10/16 07:45:39 Modified files: build : mirrors.pl Log message: stop generating ftp:// URLs in the ftplist file, it's only for the installer which now only does http
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2015/10/16 07:49:53 Modified files: lib/libtls : tls_init.3 Log message: Put tls_config_verify_client_optional() in the right place.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: tob...@cvs.openbsd.org 2015/10/16 07:54:45 Modified files: distrib/common : elfrd_size.c lib/libc/gen : nlist.c usr.sbin/installboot: i386_nlist.c Log message: Merge nlist out of boundary access fix with other nlist implementations. While at it, merge style and typo fixes back into nlist(3), too. ok deraadt, jsing, millert
Re: CVS: cvs.openbsd.org: src
On Thu, Oct 15, 2015 at 01:48:44PM -0600, Alexander Bluhm wrote: > CVSROOT: /cvs > Module name: src > Changes by: bl...@cvs.openbsd.org 2015/10/15 13:48:44 > > Modified files: > sys/net: pf_lb.c > > Log message: > When using a pf rule with both nat-to and rdr-to, it could happen > that the nated source port was reused as destination port. Do not > initialize nport at the beginning of the function, but where it is > needed. > OK sashan@ and OK henning@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2015/10/16 07:48:44 Modified files: lib/libtls : tls_init.3 Log message: Fix tpyo.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 07:59:58 Modified files: sys/kern : kern_pledge.c Log message: For "tty" pledges, treat TIOCGPGRP and TIOCGWINSZ like TIOCGETA - returning ENOTTY instead of killing the process.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 08:00:37 Modified files: sys/kern : kern_pledge.c Log message: Place TIOCSTI reminder block better
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: sema...@cvs.openbsd.org 2015/10/16 08:04:11 Modified files: sys/kern : kern_pledge.c uipc_syscalls.c sys/sys: pledge.h Log message: delete pledge_bind_check() function and remove pledge_bind_check() call from sys_bind(). bind(2) still require PLEDGE_INET or PLEDGE_UNIX in order to be called, due to SYS_bind entry in pledge_syscalls array. The diff restores also the ability for PLEDGE_UNIX to call bind(2) (pledge_bind_check function missed that). problem spotted by doug@ OK deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: mill...@cvs.openbsd.org 2015/10/16 07:37:44 Modified files: bin/ksh: main.c libexec/login_skey: login_skey.c sys/kern : kern_descrip.c kern_pledge.c vfs_syscalls.c sys/sys: pledge.h usr.bin/htpasswd: htpasswd.c usr.bin/mandoc : main.c mandocdb.c usr.bin/openssl: openssl.c usr.bin/rcs: rcsprog.c usr.sbin/config: main.c usr.sbin/dev_mkdb: dev_mkdb.c usr.sbin/kvm_mkdb: kvm_mkdb.c usr.sbin/smtpd : queue.c smtpctl.c Log message: Implement real "flock" request and add it to userland programs that use pledge and file locking. OK deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2015/10/16 09:12:30 Modified files: lib/libssl/src/crypto/asn1: n_pkey.c lib/libssl/src/crypto/ec: ec_asn1.c lib/libssl/src/crypto/ecdsa: ecs_asn1.c Log message: Expand DECLARE_ASN1_ALLOC_FUNCTIONS and DECLARE_ASN1_FUNCTIONS_const macros. The only change in the generated assembly is due to line numbering.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2015/10/16 09:15:39 Modified files: lib/libssl/src/crypto/asn1: n_pkey.c lib/libssl/src/crypto/ec: ec_asn1.c lib/libssl/src/crypto/ecdsa: ecs_asn1.c Log message: Remove pointless externs - the structs are declared in the same files a few lines above.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2015/10/16 09:09:28 Modified files: lib/libssl/src/crypto/asn1: n_pkey.c lib/libssl/src/crypto/ec: ec_asn1.c lib/libssl/src/crypto/ecdsa: ecs_asn1.c Log message: Remove pointless uses of DECLARE_ASN1_ENCODE_FUNCTIONS_const. DECLARE_ASN1_FUNCTIONS_const already includes this macro so using both means we end up with duplicate function prototypes and externs.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: n...@cvs.openbsd.org2015/10/16 09:39:14 Modified files: sys/kern : kern_pledge.c Log message: Allow PTMGET with "tty rpath wpath" but restrict only to /dev/ptm by checking cdevsw. ok deraadt
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 08:13:52 Modified files: usr.sbin/rmt : rmt.c Log message: ugly white space
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 08:20:48 Modified files: sys/kern : kern_pledge.c Log message: Always allow a r/w opening of /dev/null though the namei check. This pattern is common, especially because of daemon(3) usage. Will probably help some daemons move their pledge() calls further upwards. ok doug,
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 08:45:16 Modified files: bin/ksh: main.c Log message: wrap a long line
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: b...@cvs.openbsd.org2015/10/16 08:23:22 Modified files: lib/libssl/src/ssl: ssl_lib.c Log message: Fix use of pointer value after BIO_free, and remove senseless NULL checks. ok bcook@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2015/10/16 09:35:05 Modified files: usr.sbin/rebound: rebound.c Log message: save request length in cache. naddy noticed we weren't getting any hits.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: schwa...@cvs.openbsd.org2015/10/16 09:54:56 Modified files: etc: Makefile Removed files: etc/examples : hosts.lpd Log message: The hosts.lpd examples file does not contain a single example. The file format is so simple that no example is needed. All relevant documentation is already available from the proper place, which is the lpd(8) manual. Consequently, delete the empty file. OK millert@ dcoppa@ beck@ deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: bl...@cvs.openbsd.org 2015/10/16 10:10:11 Modified files: usr.sbin/syslogd: privsep.c Log message: Pledge the syslogd privsep process with "stdio rpath wpath cpath inet dns getpw sendfd proc exec". OK deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 17:09:53 Modified files: usr.sbin/rarpd : rarpd.c Log message: use daemon(), jca had the same diff in his tree
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2015/10/16 17:18:59 Modified files: bin/ksh: emacs.c Log message: Change x_do_ins()'s arg type from int to size_t for correctness's sake, and to silence a compiler warning. Also remove its prototype, which is directly above its definition. ok tedu@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: schwa...@cvs.openbsd.org2015/10/16 18:19:58 Modified files: usr.bin/mandoc : libmdoc.h mdoc_argv.c mdoc_macro.c roff.h regress/usr.bin/mandoc/mdoc/Bl: column.in column.out_ascii column.out_lint Log message: Very tricky diff to fix macro interpretation and spacing around tabs in .Bl -column; it took me more than a day to get this right. Triggered by a loosely related bug report from tim@. The lesson for you is: Use .Ta macros in .Bl -column, avoid tabs, or you are in for surprises: The last word before a tab is not interpreted as a macro (unless there is a blank in between), the first word after a tab isn't either (unless there is a blank in between), and a blank after a tab causes a leading blank in the respective output cell. Yes, "blank", "tab", "blank tab" and "tab blank" all have different semantics; if you write code relying on that, good luck maintaining it afterwards...
CVS: cvs.openbsd.org: src
CVSROOT:/cvs
Module name:src
Changes by: j...@cvs.openbsd.org2015/10/16 18:58:50
Modified files:
sys/kern : kern_pledge.c
Log message:
Allow a few 'get' ioctls for pledge("route"). route6d will soon use this.
ok deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2015/10/16 17:13:35 Modified files: bin/ksh: alloc.c Log message: Move the overflow check to alloc() so that the link struct overhead can never bite us. Suggested by Theo Buehler, inspired by Bitrig's natano@. ok tedu@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2015/10/16 19:01:09 Modified files: usr.sbin/route6d: route6d.c Log message: route6d pledges to use only "stdio rpath wpath cpath inet route mcast" ok deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: flor...@cvs.openbsd.org 2015/10/16 16:47:12 Modified files: sbin/ping6 : ping6.c ping6.8 Log message: Remove RFC 4620 support. The RFC is experimental and this code plain needs killing before the installed user base excedes 6. Minus 745 LOC. This is getting in the way of a merge since it has it's tentacles all over the place. OK jca@, deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2015/10/16 18:38:57 Modified files: usr.sbin/rebound: rebound.c Log message: don't need fcntl for non blocking socket, just ask for it upfront
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2015/10/16 16:32:22 Modified files: usr.bin/ssh: dh.h Log message: increase the minimum modulus that we will send or accept in diffie-hellman-group-exchange to 2048 bits; ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2015/10/16 17:00:01 Modified files: sys/kern : kern_pledge.c Log message: Also allow 6 as a miblen for NET_RT_DUMP, not all users specify a rtable. ok deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 16:25:50 Modified files: libexec/getty : main.c Log message: Hoist clearing of FIOASYNC to much earlier, then getty can use pledge "stdio rpath fattr proc exec tty".
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 16:53:32 Modified files: usr.sbin/zic : zic.c Log message: pledge "stdio rpath wpath cpath proc exec".
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 16:54:15 Modified files: usr.sbin/vipw : vipw.c Log message: pledge "stdio rpath wpath cpath fattr proc exec"
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 16:54:35 Modified files: usr.sbin/pwd_mkdb: pwd_mkdb.c Log message: pledge "stdio rpath wpath cpath getpw fattr flock"
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 22:41:37 Modified files: usr.bin/file : file.c Log message: The file(1) magic-parsing process was using pledge "stdio getpw proc recvfd" early on, then a set of getpwnam/setresuid/... before quickly dropping to "stdio recvfd". It receives fd's and runs the magic code on them in a chroot'd "stdio" jail. We can do better than that. Before the recent change, "proc" contained both the concepts of "forking" and "setuid". "id" is now split out as a seperate request, and it is exactly what this process needs momentarily. So this loses another window of opportunity, in case we have a major bug in hmm, it'd have to be in getpwnam ok tedu doug semarie gilles
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 22:31:10 Modified files: sys/sys: pledge.h sys/kern : kern_pledge.c Log message: Add pledge "id" support. This request permits setuid/seteuid/setresuid, setgid/setegid/setresgid, setgroups, setlogin, and setpriority. setrlimit and getpriority are also allowed (they are also in "proc") some of these were previously permitted in "proc" but have been removed. this seperation is intentional. "proc" is intended for reasoning about the relationship of a process "with other processes", whereas "id" deals the powerful/dangerous concept of unix ids. "id" will see some action very soon. ok gilles tedu semarie doug
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2015/10/16 22:36:10 Modified files: usr.sbin/smtpd : smtpd.c Log message: smtpd starts rather robustly with a gigantic pledge request group (keep in mind that a gigantic group is already < ~50% of POSIX). It then grinds these down bit by bit as it sets up privsep for the various processes. At startup, smtpd will need the new "id" request as well. ok gilles tedu
