From 471a995e7853b3cfa296557a0487979100e1b8da Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Wed, 1 Apr 2026 15:39:05 +0000
Subject: [PATCH] Do the unveil() after the daemon() call, because otherwise we
 wouldneed "/dev/null" "rw" and "/" "r", in particular the second is ugly.
 pointed out by bluhm, discussion also with dgl.

---
 libexec/rpc.rusersd/rusersd.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/libexec/rpc.rusersd/rusersd.c b/libexec/rpc.rusersd/rusersd.c
index 86e3add2bab..864f41c2682 100644
--- a/libexec/rpc.rusersd/rusersd.c
+++ b/libexec/rpc.rusersd/rusersd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rusersd.c,v 1.24 2023/03/08 04:43:06 guenther Exp $	*/
+/*	$OpenBSD: rusersd.c,v 1.25 2026/04/01 15:39:05 deraadt Exp $	*/
 
 /*-
  *  Copyright (c) 1993 John Brezak
@@ -80,15 +80,6 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 
-	if (unveil("/dev", "r") == -1) {
-		syslog(LOG_ERR, "unveil /dev");
-		exit(1);
-	}
-	if (unveil(NULL, NULL) == -1) {
-		syslog(LOG_ERR, "unveil");
-		exit(1);
-	}
-
 	setgroups(1, &pw->pw_gid);
 	setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid);
 	setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid);
@@ -115,6 +106,15 @@ main(int argc, char *argv[])
 		(void) signal(SIGHUP, cleanup);
 	}
 
+	if (unveil("/dev", "r") == -1) {
+		syslog(LOG_ERR, "unveil /dev");
+		exit(1);
+	}
+	if (unveil(NULL, NULL) == -1) {
+		syslog(LOG_ERR, "unveil");
+		exit(1);
+	}
+
 	transp = svcudp_create(sock);
 	if (transp == NULL) {
 		syslog(LOG_ERR, "cannot create udp service.");