On Wed, Jul 06, 2022 at 09:13:29AM +0200, Sebastien Marie wrote:
> Hi,
>
> I am currently debugging some unveil issues reported when process accounting
> in
> enabled (see acct(2)).
>
> xlock is currently doing some unveil(2) violation:
>
> $ lastcomm | grep U
> xlock -FU semarie __
> 0.00 secs Wed Jul 6 07:13 (1:21:00.00)
>
> I tracked them to be related to "login.conf" access (due to auth_userokay(3)
> usage).
>
> The diff belows adds all "login.conf" related files to readable files by the
> process:
>
> - /etc/login.conf
> - /etc/login.conf.db
> - /etc/login.conf.d/*
>
ok matthieu@ (confused not to have thought about this).
>
> diff 7f83513b277728e78b173796466b04c2373f0b55
> /home/semarie/repos/openbsd/xenocara
> blob - 7fdf4f11d18bdb1bab730f008ef7ea10e0e482ca
> file + app/xlockmore/xlock/privsep.c
> --- app/xlockmore/xlock/privsep.c
> +++ app/xlockmore/xlock/privsep.c
> @@ -255,8 +255,14 @@ priv_init(gid_t gid)
>
> imsg_init(&child_ibuf, socks[0]);
>
> + if (unveil(_PATH_LOGIN_CONF, "r") == -1)
> + err(1, "unveil %s", _PATH_LOGIN_CONF);
> + if (unveil(_PATH_LOGIN_CONF ".db", "r") == -1)
> + err(1, "unveil %s.db", _PATH_LOGIN_CONF);
> + if (unveil(_PATH_LOGIN_CONF_D, "r") == -1)
> + err(1, "unveil %s", _PATH_LOGIN_CONF_D);
> if (unveil(_PATH_AUTHPROGDIR, "rx") == -1)
> - err(1, "unveil");
> + err(1, "unveil %s", _PATH_AUTHPROGDIR);
> if (pledge("stdio rpath getpw proc exec", NULL) == -1)
> err(1, "pledge");
>
>
> With it, I don't have unveil(2) violation anymore when running xlock(1).
>
> Comments or OK ?
> --
> Sebastien Marie
>
--
Matthieu Herrb
