diff options
author | Pawel Jakub Dawidek <pjd@FreeBSD.org> | 2013-07-03 22:22:29 +0000 |
---|---|---|
committer | Pawel Jakub Dawidek <pjd@FreeBSD.org> | 2013-07-03 22:22:29 +0000 |
commit | a6f38228d451a192e2a07986831e8d37426995e5 (patch) | |
tree | 1b8f20f7a04ba8c56e2692b0cb253d04404fc950 /sbin/dhclient | |
parent | 4c7a48b7a986e53b64465e9e12b85b7ad0c4943d (diff) | |
download | src-a6f38228d451a192e2a07986831e8d37426995e5.tar.gz src-a6f38228d451a192e2a07986831e8d37426995e5.zip |
MFp4 @229487:
Revoke all capability rights from STDIN and allow only for write to STDOUT and
STDERR. All those descriptors are redirected to /dev/null.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
Notes
Notes:
svn path=/head/; revision=252633
Diffstat (limited to 'sbin/dhclient')
-rw-r--r-- | sbin/dhclient/dhclient.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index b695f6adfd4d..2305d973cc3d 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -2379,6 +2379,13 @@ go_daemon(void) close(nullfd); nullfd = -1; } + + if (cap_rights_limit(STDIN_FILENO, CAP_NONE) < 0 && errno != ENOSYS) + error("can't limit stdin: %m"); + if (cap_rights_limit(STDOUT_FILENO, CAP_WRITE) < 0 && errno != ENOSYS) + error("can't limit stdout: %m"); + if (cap_rights_limit(STDERR_FILENO, CAP_WRITE) < 0 && errno != ENOSYS) + error("can't limit stderr: %m"); } int |