On Wed, Dec 23, 2015 at 04:26:11PM +0000, Ricardo Mestre wrote: > Hi tech@ > > tokenadm(8) pretty much needs almost the same pledge annotations as > login_token(8), > "rpath wpath cpath fattr flock" for operations on the DB files and before that > it also needs getpw due to calling getgrnam(3) to get the group (TOKEN_GROUP). > In this case where both differ is that tokenadm(8) doesn't call > readpassphrase(3) > and therefore it doesn't need tty. > > Any comments?
Please move the pledge() line just before the while(getopt) loop. otherwise OK bluhm@ > > Index: tokenadm.c > =================================================================== > RCS file: /cvs/src/usr.sbin/tokenadm/tokenadm.c,v > retrieving revision 1.10 > diff -u -p -u -r1.10 tokenadm.c > --- tokenadm.c 16 Jan 2015 06:40:22 -0000 1.10 > +++ tokenadm.c 23 Dec 2015 22:24:26 -0000 > @@ -167,6 +167,9 @@ main(int argc, char **argv) > goto usage; > } > > + if (pledge("stdio rpath wpath cpath fattr flock getpw", NULL) == -1) > + err(1, "pledge"); > + > if (what == LIST && (dmode || emode)) > what = MODECH;