CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2015/10/02 20:22:38
Modified files:
usr.sbin/traceroute: traceroute.c
Log message:
like ping, traceroute is a setuid root priv-drop which holds a sockraw.
we can tame it substantially with "stdio inet", plus "dns" if the -n option
is missing. a successful exploit against it then cannot create files, or
perform a variety of other operations, as described in the tame(2) man page.
florian helped me a fair bit hoisting initization code upwards in ping,
ping6, and traceroute, to make tame work here.
