1
0
mirror of https://github.com/openbsd/src.git synced 2024-12-22 16:42:56 -08:00

Unveil fits nicely into the syslogd privsep model. Unveiled files

include config file "r", utmp "r", /dev "rw", /bin/sh "x" for running
piped commands, and the syslogd binary "x" itself for HUP re-exec upon
config loads with changes.  Also unveiled in the privsep process are
the specific log files being written to.

If a config file reload changes no files, the existing privsep process
keeps running with unveil's to the relevant files (therefore it can
cope with newsyslogd taking files away).  If a new config file is loaded
which changes the output files, the privsep process is restarted with
fork+exec, and installs new unveils as needed.  The safety we gain from
unveil is that we've pigeonholed the privsep file-writer to exactly the
files required.

Help from bluhm for some edge cases.
This commit is contained in:
deraadt 2018-08-07 18:36:49 +00:00
parent 9b5cd4f05c
commit 8d92522dc6

View File

@ -1,4 +1,4 @@
/* $OpenBSD: privsep.c,v 1.68 2018/04/26 13:40:09 bluhm Exp $ */
/* $OpenBSD: privsep.c,v 1.69 2018/08/07 18:36:49 deraadt Exp $ */
/*
* Copyright (c) 2003 Anil Madhavapeddy <anil@recoil.org>
@ -184,7 +184,25 @@ priv_exec(char *conf, int numeric, int child, int argc, char *argv[])
if (pw == NULL)
errx(1, "unknown user _syslogd");
if (pledge("stdio rpath wpath cpath dns sendfd id proc exec",
if (unveil(conf, "r") == -1)
err(1, "unveil");
if (unveil(_PATH_UTMP, "r") == -1)
err(1, "unveil");
if (unveil(_PATH_DEV, "rw") == -1)
err(1, "unveil");
/* for pipes */
if (unveil(_PATH_BSHELL, "x") == -1)
err(1, "unveil");
/* For HUP / re-exec */
if (unveil("/usr/sbin/syslogd", "x") == -1)
err(1, "unveil");
if (argv[0][0] == '/')
if (unveil(argv[0], "x") == -1)
err(1, "unveil");
if (pledge("stdio unveil rpath wpath cpath dns sendfd id proc exec",
NULL) == -1)
err(1, "pledge priv");
@ -312,6 +330,9 @@ priv_exec(char *conf, int numeric, int child, int argc, char *argv[])
break;
case PRIV_DONE_CONFIG_PARSE:
if (pledge("stdio rpath wpath cpath dns sendfd id proc exec",
NULL) == -1)
err(1, "pledge done config");
log_debug("[priv]: msg PRIV_DONE_CONFIG_PARSE "
"received");
increase_state(STATE_RUNNING);
@ -554,6 +575,10 @@ check_log_name(char *lognam, size_t logsize)
err(1, "check_log_name() malloc");
strlcpy(lg->path, lognam, PATH_MAX);
TAILQ_INSERT_TAIL(&lognames, lg, next);
if (lognam[0] != '|') {
if (unveil(lognam, "w") == -1)
goto bad_path;
}
break;
case STATE_RUNNING:
TAILQ_FOREACH(lg, &lognames, next)