Hi, I am currently debugging some unveil issues reported when process accounting in enabled (see acct(2)).
xlock is currently doing some unveil(2) violation: $ lastcomm | grep U xlock -FU semarie __ 0.00 secs Wed Jul 6 07:13 (1:21:00.00) I tracked them to be related to "login.conf" access (due to auth_userokay(3) usage). The diff belows adds all "login.conf" related files to readable files by the process: - /etc/login.conf - /etc/login.conf.db - /etc/login.conf.d/* diff 7f83513b277728e78b173796466b04c2373f0b55 /home/semarie/repos/openbsd/xenocara blob - 7fdf4f11d18bdb1bab730f008ef7ea10e0e482ca file + app/xlockmore/xlock/privsep.c --- app/xlockmore/xlock/privsep.c +++ app/xlockmore/xlock/privsep.c @@ -255,8 +255,14 @@ priv_init(gid_t gid) imsg_init(&child_ibuf, socks[0]); + if (unveil(_PATH_LOGIN_CONF, "r") == -1) + err(1, "unveil %s", _PATH_LOGIN_CONF); + if (unveil(_PATH_LOGIN_CONF ".db", "r") == -1) + err(1, "unveil %s.db", _PATH_LOGIN_CONF); + if (unveil(_PATH_LOGIN_CONF_D, "r") == -1) + err(1, "unveil %s", _PATH_LOGIN_CONF_D); if (unveil(_PATH_AUTHPROGDIR, "rx") == -1) - err(1, "unveil"); + err(1, "unveil %s", _PATH_AUTHPROGDIR); if (pledge("stdio rpath getpw proc exec", NULL) == -1) err(1, "pledge"); With it, I don't have unveil(2) violation anymore when running xlock(1). Comments or OK ? -- Sebastien Marie