Hi,
playing with ldapd, i noticed that upon exit, the child process (ldape)
is aborted by pledge:
ldapd(10229): syscall 10 "cpath"
and /var/run/ldapi / ldapd.sock are left behind.
ktracing and looking at the code, it seems control_cleanup in
control.c:117 tries to unlink the control socket, and i havent found yet
the code that tries to remove the listening ldapi socket (i think
there's none).
Interestingly, adding cpath to the pledge() call in ldape.c makes the
abort go away, but the two sockets are still left behind.. so i'm not
sure this is the right way to go, and there's probably more to do.
without cpath in pledge:
3560 ldapd CALL unlink(0x29aab490)
3560 ldapd PLDG unlink, "cpath", errno 1 Operation not permitted
3560 ldapd PSIG SIGABRT SIG_DFL
with it:
26364 ldapd CALL unlink(0x3b27b470)
26364 ldapd NAMI "/var/run/ldapd.sock"
26364 ldapd RET unlink -1 errno 2 No such file or directory
$ls -l /var/run/ldap*
srw-rw---- 1 root wheel 0 Jan 16 11:35 /var/run/ldapd.sock=
srw-rw-rw- 1 root wheel 0 Jan 16 11:35 /var/run/ldapi=
Index: ldape.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/ldape.c,v
retrieving revision 1.23
diff -u -r1.23 ldape.c
--- ldape.c 24 Dec 2015 17:47:57 -0000 1.23
+++ ldape.c 16 Jan 2016 10:24:24 -0000
@@ -444,7 +444,7 @@
fatal("cannot drop privileges");
}
- if (pledge("stdio flock inet unix recvfd", NULL) == -1)
+ if (pledge("stdio cpath flock inet unix recvfd", NULL) == -1)
fatal("pledge");
log_debug("ldape: entering event loop");
