On Wed, Aug 28, 2019 at 12:03:07PM -0600, Theo de Raadt wrote:
> ping and traceroute are setuid programs, so increased access-reduction
> features are worthwhile.
>
> they can both lock their filesystem visibility to "readonly" very early on.
>
> the attack model being prevented against is very obscure. it imagines a
> bug in something between start-of-program and call-to-pledge (which
> entirely removes filesystem access). implying a getaddrinfo related
> bug. meanwhile, there is privdrop as another protection.
>
> these still feel like improvements.
I think so too. Restricting filesystem access early here only helps.
OK brynet@
> Index: usr.sbin/traceroute/traceroute.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v
> retrieving revision 1.161
> diff -u -p -u -r1.161 traceroute.c
> --- usr.sbin/traceroute/traceroute.c 28 Jun 2019 13:32:51 -0000 1.161
> +++ usr.sbin/traceroute/traceroute.c 27 Aug 2019 17:56:56 -0000
> @@ -327,6 +327,12 @@ main(int argc, char *argv[])
> uid_t ouid, uid;
> gid_t gid;
>
> + /* Cannot pledge due to special setsockopt()s below */
> + if (unveil("/", "r") == -1)
> + err(1, "unveil");
> + if (unveil(NULL, NULL) == -1)
> + err(1, "unveil");
> +
> if ((conf = calloc(1, sizeof(*conf))) == NULL)
> err(1,NULL);
>
> Index: sbin/ping/ping.c
> ===================================================================
> RCS file: /cvs/src/sbin/ping/ping.c,v
> retrieving revision 1.237
> diff -u -p -u -r1.237 ping.c
> --- sbin/ping/ping.c 20 Jul 2019 00:49:54 -0000 1.237
> +++ sbin/ping/ping.c 27 Aug 2019 17:56:17 -0000
> @@ -264,6 +264,12 @@ main(int argc, char *argv[])
> u_int rtableid = 0;
> extern char *__progname;
>
> + /* Cannot pledge due to special setsockopt()s below */
> + if (unveil("/", "r") == -1)
> + err(1, "unveil");
> + if (unveil(NULL, NULL) == -1)
> + err(1, "unveil");
> +
> if (strcmp("ping6", __progname) == 0) {
> v6flag = 1;
> maxpayload = MAXPAYLOAD6;
>
>
