Hi,
I am currently debugging some unveil issues reported when process accounting in
enabled (see acct(2)).
xlock is currently doing some unveil(2) violation:
$ lastcomm | grep U
xlock -FU semarie __
0.00 secs Wed Jul 6 07:13 (1:21:00.00)
I tracked them to be related to "login.conf" access (due to auth_userokay(3)
usage).
The diff belows adds all "login.conf" related files to readable files by the
process:
- /etc/login.conf
- /etc/login.conf.db
- /etc/login.conf.d/*
diff 7f83513b277728e78b173796466b04c2373f0b55
/home/semarie/repos/openbsd/xenocara
blob - 7fdf4f11d18bdb1bab730f008ef7ea10e0e482ca
file + app/xlockmore/xlock/privsep.c
--- app/xlockmore/xlock/privsep.c
+++ app/xlockmore/xlock/privsep.c
@@ -255,8 +255,14 @@ priv_init(gid_t gid)
imsg_init(&child_ibuf, socks[0]);
+ if (unveil(_PATH_LOGIN_CONF, "r") == -1)
+ err(1, "unveil %s", _PATH_LOGIN_CONF);
+ if (unveil(_PATH_LOGIN_CONF ".db", "r") == -1)
+ err(1, "unveil %s.db", _PATH_LOGIN_CONF);
+ if (unveil(_PATH_LOGIN_CONF_D, "r") == -1)
+ err(1, "unveil %s", _PATH_LOGIN_CONF_D);
if (unveil(_PATH_AUTHPROGDIR, "rx") == -1)
- err(1, "unveil");
+ err(1, "unveil %s", _PATH_AUTHPROGDIR);
if (pledge("stdio rpath getpw proc exec", NULL) == -1)
err(1, "pledge");
With it, I don't have unveil(2) violation anymore when running xlock(1).
Comments or OK ?
--
Sebastien Marie
