Re: unveil htpasswd

2018-10-30 Thread Theo de Raadt 
Makes sense to me.

> Hi,
> 
> htpasswd(1) when in batch mode (-I) and 1 argument is used, or when not in
> batch mode and 2 arguments are used we know we have to access argv[0] with rwc
> permissions and also to rwc a temporary file in /tmp so we can unveil(2) both
> argv[0] and /tmp with rwc permissions. In order to avoid adding "unveil" to
> pledge(2), just call it after getopt(3).
> 
> Remaining code paths already have fs access disabled via pledge(2).
> 
> Comments? OK?
> 
> Index: htpasswd.c
> ===
> RCS file: /cvs/src/usr.bin/htpasswd/htpasswd.c,v
> retrieving revision 1.16
> diff -u -p -u -r1.16 htpasswd.c
> --- htpasswd.c7 Jun 2017 09:11:52 -   1.16
> +++ htpasswd.c30 Oct 2018 08:55:45 -
> @@ -57,9 +57,6 @@ main(int argc, char** argv)
>   ssize_t linelen;
>   mode_t old_umask;
>  
> - if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
> - err(1, "pledge");
> -
>   while ((c = getopt(argc, argv, "I")) != -1) {
>   switch (c) {
>   case 'I':
> @@ -74,6 +71,15 @@ main(int argc, char** argv)
>  
>   argc -= optind;
>   argv += optind;
> +
> + if ((batch && argc == 1) || (!batch && argc == 2)) {
> + if (unveil(argv[0], "rwc") == -1)
> + err(1, "unveil");
> + if (unveil("/tmp", "rwc") == -1)
> + err(1, "unveil");
> + }
> + if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
> + err(1, "pledge");
>  
>   if (batch) {
>   if (argc == 1)
>

Re: unveil htpasswd

2018-10-30 Thread Florian Obser 
OK florian@

On Tue, Oct 30, 2018 at 09:02:48AM +, Ricardo Mestre wrote:
> Hi,
> 
> htpasswd(1) when in batch mode (-I) and 1 argument is used, or when not in
> batch mode and 2 arguments are used we know we have to access argv[0] with rwc
> permissions and also to rwc a temporary file in /tmp so we can unveil(2) both
> argv[0] and /tmp with rwc permissions. In order to avoid adding "unveil" to
> pledge(2), just call it after getopt(3).
> 
> Remaining code paths already have fs access disabled via pledge(2).
> 
> Comments? OK?
> 
> Index: htpasswd.c
> ===
> RCS file: /cvs/src/usr.bin/htpasswd/htpasswd.c,v
> retrieving revision 1.16
> diff -u -p -u -r1.16 htpasswd.c
> --- htpasswd.c7 Jun 2017 09:11:52 -   1.16
> +++ htpasswd.c30 Oct 2018 08:55:45 -
> @@ -57,9 +57,6 @@ main(int argc, char** argv)
>   ssize_t linelen;
>   mode_t old_umask;
>  
> - if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
> - err(1, "pledge");
> -
>   while ((c = getopt(argc, argv, "I")) != -1) {
>   switch (c) {
>   case 'I':
> @@ -74,6 +71,15 @@ main(int argc, char** argv)
>  
>   argc -= optind;
>   argv += optind;
> +
> + if ((batch && argc == 1) || (!batch && argc == 2)) {
> + if (unveil(argv[0], "rwc") == -1)
> + err(1, "unveil");
> + if (unveil("/tmp", "rwc") == -1)
> + err(1, "unveil");
> + }
> + if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
> + err(1, "pledge");
>  
>   if (batch) {
>   if (argc == 1)

-- 
I'm not entirely sure you are real.