Mercurial > hg > dhcpcd
changeset 5312:b336a280de82 draft
privsep: Set resource limits when dropping privs
Disables forking, new files, sockets and writing large files.
| author | Roy Marples <roy@marples.name> |
|---|---|
| date | Fri, 05 Jun 2020 12:24:44 +0100 |
| parents | fd78486b12a7 |
| children | 9aa7c5f01a8b |
| files | src/privsep.c |
| diffstat | 1 files changed, 22 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/privsep.c Fri Jun 05 12:23:51 2020 +0100 +++ b/src/privsep.c Fri Jun 05 12:24:44 2020 +0100 @@ -39,6 +39,7 @@ * this in a script or something. */ +#include <sys/resource.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/types.h> @@ -112,6 +113,7 @@ ps_dropprivs(struct dhcpcd_ctx *ctx) { struct passwd *pw = ctx->ps_user; + struct rlimit rzero = { .rlim_cur = 0, .rlim_max = 0 }; if (!(ctx->options & DHCPCD_FORKED)) logdebugx("chrooting to `%s' as %s", pw->pw_dir, pw->pw_name); @@ -128,6 +130,26 @@ return -1; } + /* Prohibit new files, sockets, etc */ + if (setrlimit(RLIMIT_NOFILE, &rzero) == -1) { + logerr("setrlimit RLIMIT_NOFILE"); + return -1; + } + + /* Prohibit large files */ + if (setrlimit(RLIMIT_FSIZE, &rzero) == -1) { + logerr("setrlimit RLIMIT_FSIZE"); + return -1; + } + +#ifdef RLIMIT_NPROC + /* Prohibit forks */ + if (setrlimit(RLIMIT_NPROC, &rzero) == -1) { + logerr("setrlimit RLIMIT_NPROC"); + return -1; + } +#endif + return 0; }