diff options
| author | pjd <pjd@FreeBSD.org> | 2013-07-03 22:21:11 +0000 |
|---|---|---|
| committer | pjd <pjd@FreeBSD.org> | 2013-07-03 22:21:11 +0000 |
| commit | 671bf2da4323dd91bdb6ab81d384220e0af44c3c (patch) | |
| tree | 0329de009b7a0d7e78e4179b8b4cc8a8983f87fa /sbin/dhclient | |
| parent | 745563514be1c4a53986276e837d351f916f2788 (diff) | |
| download | FreeBSD-src-671bf2da4323dd91bdb6ab81d384220e0af44c3c.zip FreeBSD-src-671bf2da4323dd91bdb6ab81d384220e0af44c3c.tar.gz | |
MFp4 @229486:
Once PID is written to the pidfile, revoke all capability rights.
We just want to keep the pidfile open.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'sbin/dhclient')
| -rw-r--r-- | sbin/dhclient/dhclient.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index ead20b4..b695f6a 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -2363,8 +2363,13 @@ go_daemon(void) if (daemon(1, 0) == -1) error("daemon"); - if (pidfile != NULL) + if (pidfile != NULL) { pidfile_write(pidfile); + if (cap_rights_limit(pidfile_fileno(pidfile), CAP_NONE) < 0 && + errno != ENOSYS) { + error("can't limit pidfile descriptor: %m"); + } + } /* we are chrooted, daemon(3) fails to open /dev/null */ if (nullfd != -1) { |
