From owner-svn-src-head@freebsd.org Wed Feb 22 16:37:46 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C318CE9083; Wed, 22 Feb 2017 16:37:46 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 595302FD; Wed, 22 Feb 2017 16:37:46 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v1MGbjw4056507; Wed, 22 Feb 2017 16:37:45 GMT (envelope-from bapt@FreeBSD.org) Received: (from bapt@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v1MGbj0D056506; Wed, 22 Feb 2017 16:37:45 GMT (envelope-from bapt@FreeBSD.org) Message-Id: <201702221637.v1MGbj0D056506@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bapt set sender to bapt@FreeBSD.org using -f From: Baptiste Daroussin Date: Wed, 22 Feb 2017 16:37:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r314099 - head/usr.bin/lam X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 16:37:46 -0000 Author: bapt Date: Wed Feb 22 16:37:45 2017 New Revision: 314099 URL: https://svnweb.freebsd.org/changeset/base/314099 Log: Better fix for r314098 The actual issue was the fact that if - was used then some restriction were already set to stdin when we were applying caph_limit_stdio which was failing due to the fact the fd was the fd was already restricted to lower rights. Restricting stdio before actually opening the files prevent trying to raise the right and fixes the issue. And this allows to keep failing the program if restriction failed Approved by: allanjude Differential Revision: https://reviews.freebsd.org/D9723 Modified: head/usr.bin/lam/lam.c Modified: head/usr.bin/lam/lam.c ============================================================================== --- head/usr.bin/lam/lam.c Wed Feb 22 15:30:57 2017 (r314098) +++ head/usr.bin/lam/lam.c Wed Feb 22 16:37:45 2017 (r314099) @@ -86,6 +86,8 @@ main(int argc, char *argv[]) if (argc == 1) usage(); + if (caph_limit_stdio() == -1) + err(1, "unable to limit stdio"); getargs(argv); if (!morefiles) usage(); @@ -95,7 +97,6 @@ main(int argc, char *argv[]) * mode. */ caph_cache_catpages(); - caph_limit_stdio(); if (cap_enter() < 0 && errno != ENOSYS) err(1, "unable to enter capability mode");