Browse Source

ntpd unveils the cert.pem "r" file (which is passed-over-socket to the

constraints process), and /usr/sbin/ntpd "x" to perform fork+exec operations.
OPENBSD_6_4
deraadt 6 years ago
parent
commit
a27b872488
1 changed files with 5 additions and 1 deletions
  1. +5
    -1
      src/usr.sbin/ntpd/ntpd.c

+ 5
- 1
src/usr.sbin/ntpd/ntpd.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: ntpd.c,v 1.115 2018/08/04 11:07:14 mestre Exp $ */
/* $OpenBSD: ntpd.c,v 1.116 2018/08/08 22:56:42 deraadt Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -244,6 +244,10 @@ main(int argc, char *argv[])
* Constraint processes are forked with certificates in memory,
* then privdrop into chroot before speaking to the outside world.
*/
if (unveil("/etc/ssl/cert.pem", "r") == -1)
err(1, "unveil");
if (unveil("/usr/sbin/ntpd", "x") == -1)
err(1, "unveil");
if (pledge("stdio rpath inet settime proc exec id", NULL) == -1)
err(1, "pledge");


Loading…
Cancel
Save