Re: rebound: getpw pledge

Fri, 27 Nov 2015 14:30:01 -0800 

On Sat, 28 Nov 2015, at 09:31 AM, Theo de Raadt wrote:
> > rebound wants getpw, as of kern_pledge.c 1.123
> 
> You must be running snapshots, which tricky bit in libc which tests
> for "getpw" on non-YP systems.
> 
> This diff will work, or the getpwnam use in rebound.c should be hoisted
> up higher, similar to the most recent change in ntpd/constraint.c

Something like this?


Index: usr.sbin/rebound/rebound.c
===================================================================
RCS file: /cvs/src/usr.sbin/rebound/rebound.c,v
retrieving revision 1.46
diff -u -p -u -r1.46 rebound.c
--- usr.sbin/rebound/rebound.c  27 Nov 2015 21:12:08 -0000      1.46
+++ usr.sbin/rebound/rebound.c  27 Nov 2015 22:13:28 -0000
@@ -416,14 +416,13 @@ readconfig(FILE *conf, struct sockaddr_s
 }
 
 static int
-launch(const char *confname, int ud, int ld, int kq)
+launch(const char *confname, int ud, int ld, int kq, struct passwd *pwd)
 {
        struct sockaddr_storage remoteaddr;
        struct kevent ch[2], kev[4];
        struct timespec ts, *timeout = NULL;
        struct request reqkey, *req;
        struct dnscache *ent;
-       struct passwd *pwd;
        FILE *conf;
        int i, r, af;
        pid_t parent, child;
@@ -443,9 +442,6 @@ launch(const char *confname, int ud, int
 
        kq = kqueue();
 
-       if (!(pwd = getpwnam("_rebound")))
-               logerr("getpwnam failed");
-
        if (chroot(pwd->pw_dir) == -1)
                logerr("chroot failed (%d)", errno);
        if (chdir("/") == -1)
@@ -611,12 +607,16 @@ main(int argc, char **argv)
        int one;
        int childdead, hupped;
        pid_t child;
+       struct passwd *pwd;
        struct kevent kev;
        struct rlimit rlim;
        struct timespec ts, *timeout = NULL;
        const char *conffile = "/etc/rebound.conf";
 
-       if (pledge("stdio rpath getpw inet proc id", NULL) == -1)
+       if (!(pwd = getpwnam("_rebound")))
+               logerr("getpwnam failed");
+
+       if (pledge("stdio rpath inet proc id", NULL) == -1)
                logerr("pledge failed");
 
        while ((ch = getopt(argc, argv, "c:d")) != -1) {
@@ -682,7 +682,7 @@ main(int argc, char **argv)
                err(1, "listen");
 
        if (debug) {
-               launch(conffile, ud, ld, -1);
+               launch(conffile, ud, ld, -1, pwd);
                return 1;
        }
 
@@ -695,7 +695,7 @@ main(int argc, char **argv)
        while (1) {
                hupped = 0;
                childdead = 0;
-               child = launch(conffile, ud, ld, kq);
+               child = launch(conffile, ud, ld, kq, pwd);
                if (child == -1)
                        logerr("failed to launch");
 

-- 
Carlin

Reply via email to