Hello ports@, this patch adds pledge() to net/ngircd. Tested on amd64 with ngircd running with TLS. Unfortunately the promises can't be further reduced since this would break /rehash (i.e. reloading the config) later. But this is better than nothing.
Index: Makefile =================================================================== RCS file: /cvs/ports/net/ngircd/Makefile,v retrieving revision 1.18 diff -u -p -u -p -r1.18 Makefile --- Makefile 12 Jul 2019 20:48:34 -0000 1.18 +++ Makefile 7 Feb 2020 14:15:32 -0000 @@ -4,6 +4,8 @@ COMMENT = lightweight irc server DISTNAME = ngircd-25 +REVISION = 0 + CATEGORIES = net HOMEPAGE = https://ngircd.barton.de/ Index: patches/patch-src_ngircd_ngircd_c =================================================================== RCS file: /cvs/ports/net/ngircd/patches/patch-src_ngircd_ngircd_c,v retrieving revision 1.4 diff -u -p -u -p -r1.4 patch-src_ngircd_ngircd_c --- patches/patch-src_ngircd_ngircd_c 3 Dec 2014 10:32:18 -0000 1.4 +++ patches/patch-src_ngircd_ngircd_c 7 Feb 2020 14:15:32 -0000 @@ -1,7 +1,18 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1.4 2014/12/03 10:32:18 jasper Exp $ ---- src/ngircd/ngircd.c.orig Mon Jul 14 13:26:07 2014 -+++ src/ngircd/ngircd.c Tue Dec 2 20:05:31 2014 -@@ -563,7 +563,7 @@ Setup_FDStreams(int fd) +Index: src/ngircd/ngircd.c +--- src/ngircd/ngircd.c.orig ++++ src/ngircd/ngircd.c +@@ -259,6 +259,9 @@ main(int argc, const char *argv[]) + exit(1); + } + ++ if ( pledge("stdio inet dns rpath proc getpw", NULL) == -1) ++ err(1, "pledge"); ++ + /* Initialize modules, part II: these functions are eventually + * called with already dropped privileges ... */ + Channel_Init(); +@@ -563,7 +566,7 @@ Setup_FDStreams(int fd) #if !defined(SINGLE_USER_OS) /** @@ -10,7 +21,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1. * * @param uid User ID * @param gid Group ID -@@ -587,7 +587,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid ) +@@ -587,7 +590,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid ) } #endif @@ -19,7 +30,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1. if (!pwd) return false; -@@ -703,11 +703,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon) +@@ -703,11 +706,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon) if (Conf_UID == 0) { pwd = getpwuid(0); Log(LOG_INFO, Index: patches/patch-src_ngircd_proc_c =================================================================== RCS file: patches/patch-src_ngircd_proc_c diff -N patches/patch-src_ngircd_proc_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_ngircd_proc_c 7 Feb 2020 14:15:32 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ + +Index: src/ngircd/proc.c +--- src/ngircd/proc.c.orig ++++ src/ngircd/proc.c +@@ -76,6 +76,9 @@ Proc_Fork(PROC_STAT *proc, int *pipefds, void (*cbfunc + return -1; + case 0: + /* New child process: */ ++ /* XXX no PAM, fork only for DNS */ ++ if (pledge("stdio dns", NULL) == -1) ++ err(1, "pledge"); + #ifdef HAVE_ARC4RANDOM_STIR + arc4random_stir(); + #endif
