From 22223da9a104fe26a8254fafcb7c3ba671ea46ef Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Thu, 3 Oct 2019 23:23:53 +0200 Subject: [PATCH] use OpenBSD pledge() to drop privileges To be tested see #405 --- miniupnpd/Changelog.txt | 5 ++++- miniupnpd/genconfig.sh | 6 +++++- miniupnpd/miniupnpd.c | 11 ++++++++++- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/miniupnpd/Changelog.txt b/miniupnpd/Changelog.txt index 3f8b30f..91813cd 100644 --- a/miniupnpd/Changelog.txt +++ b/miniupnpd/Changelog.txt @@ -1,4 +1,7 @@ -$Id: Changelog.txt,v 1.453 2019/10/02 22:12:37 nanard Exp $ +$Id: Changelog.txt,v 1.454 2019/10/03 20:40:37 nanard Exp $ + +2019/10/03: + Use OpenBSD pledge() 2019/10/02: Working NFTables implementation thanks to Paul Chambers diff --git a/miniupnpd/genconfig.sh b/miniupnpd/genconfig.sh index a301933..3ebb42f 100755 --- a/miniupnpd/genconfig.sh +++ b/miniupnpd/genconfig.sh @@ -1,5 +1,5 @@ #! /bin/sh -# $Id: genconfig.sh,v 1.100 2019/09/24 11:50:34 nanard Exp $ +# $Id: genconfig.sh,v 1.103 2019/10/03 20:40:39 nanard Exp $ # vim: tabstop=4 shiftwidth=4 noexpandtab # # miniupnp daemon @@ -146,6 +146,10 @@ case $OS_NAME in MAJORVER=`echo $OS_VERSION | cut -d. -f1` MINORVER=`echo $OS_VERSION | cut -d. -f2` #echo "OpenBSD majorversion=$MAJORVER minorversion=$MINORVER" + # The pledge() system call first appeared in OpenBSD 5.9. + if [ \( $MAJORVER -ge 6 \) -o \( $MAJORVER -eq 5 -a $MINORVER -ge 9 \) ]; then + echo "#define HAS_PLEDGE" >> ${CONFIGFILE} + fi # rtableid was introduced in OpenBSD 4.0 if [ $MAJORVER -ge 4 ]; then echo "#define PFRULE_HAS_RTABLEID" >> ${CONFIGFILE} diff --git a/miniupnpd/miniupnpd.c b/miniupnpd/miniupnpd.c index 15a360d..665499d 100644 --- a/miniupnpd/miniupnpd.c +++ b/miniupnpd/miniupnpd.c @@ -1,4 +1,4 @@ -/* $Id: miniupnpd.c,v 1.235 2019/05/21 08:39:43 nanard Exp $ */ +/* $Id: miniupnpd.c,v 1.237 2019/10/03 20:40:40 nanard Exp $ */ /* vim: tabstop=4 shiftwidth=4 noexpandtab * MiniUPnP project * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ @@ -2241,6 +2241,15 @@ main(int argc, char * * argv) } #endif + /* drop privileges */ +#ifdef HAS_PLEDGE + /* mcast ? unix ? */ + if (pledge("stdio inet pf", NULL) < 0) { + syslog(LOG_ERR, "pledge(): %m"); + return 1; + } +#endif /* HAS_PLEDGE */ + /* main loop */ while(!quitting) {