On Wed, Jul 06, 2022 at 09:13:29AM +0200, Sebastien Marie wrote: > Hi, > > I am currently debugging some unveil issues reported when process accounting > in > enabled (see acct(2)). > > xlock is currently doing some unveil(2) violation: > > $ lastcomm | grep U > xlock -FU semarie __ > 0.00 secs Wed Jul 6 07:13 (1:21:00.00) > > I tracked them to be related to "login.conf" access (due to auth_userokay(3) > usage). > > The diff belows adds all "login.conf" related files to readable files by the > process: > > - /etc/login.conf > - /etc/login.conf.db > - /etc/login.conf.d/* >
ok matthieu@ (confused not to have thought about this). > > diff 7f83513b277728e78b173796466b04c2373f0b55 > /home/semarie/repos/openbsd/xenocara > blob - 7fdf4f11d18bdb1bab730f008ef7ea10e0e482ca > file + app/xlockmore/xlock/privsep.c > --- app/xlockmore/xlock/privsep.c > +++ app/xlockmore/xlock/privsep.c > @@ -255,8 +255,14 @@ priv_init(gid_t gid) > > imsg_init(&child_ibuf, socks[0]); > > + if (unveil(_PATH_LOGIN_CONF, "r") == -1) > + err(1, "unveil %s", _PATH_LOGIN_CONF); > + if (unveil(_PATH_LOGIN_CONF ".db", "r") == -1) > + err(1, "unveil %s.db", _PATH_LOGIN_CONF); > + if (unveil(_PATH_LOGIN_CONF_D, "r") == -1) > + err(1, "unveil %s", _PATH_LOGIN_CONF_D); > if (unveil(_PATH_AUTHPROGDIR, "rx") == -1) > - err(1, "unveil"); > + err(1, "unveil %s", _PATH_AUTHPROGDIR); > if (pledge("stdio rpath getpw proc exec", NULL) == -1) > err(1, "pledge"); > > > With it, I don't have unveil(2) violation anymore when running xlock(1). > > Comments or OK ? > -- > Sebastien Marie > -- Matthieu Herrb