From: Alexander Bluhm <bluhm@openbsd.org>
Subject: Re: rpcinfo(8): add pledge & unveil.
To: tech@openbsd.org
Date: Wed, 14 Aug 2024 20:23:13 +0200

On Wed, Aug 14, 2024 at 07:42:13PM +0200, Florian Obser wrote:
> Any rpcinfo(8) users around?

OK bluhm@

> On 2024-08-11 14:04 +02, Florian Obser <florian@openbsd.org> wrote:
> > Not an rpcinfo(8) user, but I think I tested all code paths.
> >
> > The rpc library needs read access to the rpc database in
> > /etc/rpc. Other than that rpcinfo(8) only uses AF_INET sockets.
> >
> > With -b, rpcinfo(8) uses gethostbyaddr(3) to report hosts that responded
> > so add "dns" pledge as well.
> >
> > I couldn't really test -b though, nothing answered, maybe that's normal
> > in this day and age?
> >
> > Tests, OKs?
> >
> > diff --git rpcinfo.c rpcinfo.c
> > index 91d99144c2c..489f45716fa 100644
> > --- rpcinfo.c
> > +++ rpcinfo.c
> > @@ -50,6 +50,7 @@
> >  #include <errno.h>
> >  #include <limits.h>
> >  #include <arpa/inet.h>
> > +#include <err.h>
> >  
> >  #define MAXHOSTLEN 256
> >  
> > @@ -94,6 +95,15 @@ main(int argc, char *argv[])
> >  	function = NONE;
> >  	portnum = 0;
> >  	errflg = 0;
> > +
> > +	if (unveil("/etc/rpc", "r") == -1)
> > +		err(1, "unveil /");
> > +	if (unveil(NULL, NULL) == -1)
> > +		err(1, "unveil");
> > +
> > +	if (pledge("stdio inet dns rpath", NULL) == -1)
> > +		err(1, "pledge");
> > +
> >  	while ((c = getopt(argc, argv, "ptubdsn:")) != -1) {
> >  		switch (c) {
> >  
> >
> > -- 
> >
> > In my defence, I have been left unsupervised.
> >
> 
> -- 
> In my defence, I have been left unsupervised.