On Wed, Dec 23, 2015 at 04:26:11PM +0000, Ricardo Mestre wrote:
> Hi tech@
>
> tokenadm(8) pretty much needs almost the same pledge annotations as
> login_token(8),
> "rpath wpath cpath fattr flock" for operations on the DB files and before that
> it also needs getpw due to calling getgrnam(3) to get the group (TOKEN_GROUP).
> In this case where both differ is that tokenadm(8) doesn't call
> readpassphrase(3)
> and therefore it doesn't need tty.
>
> Any comments?
Please move the pledge() line just before the while(getopt) loop.
otherwise OK bluhm@
>
> Index: tokenadm.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tokenadm/tokenadm.c,v
> retrieving revision 1.10
> diff -u -p -u -r1.10 tokenadm.c
> --- tokenadm.c 16 Jan 2015 06:40:22 -0000 1.10
> +++ tokenadm.c 23 Dec 2015 22:24:26 -0000
> @@ -167,6 +167,9 @@ main(int argc, char **argv)
> goto usage;
> }
>
> + if (pledge("stdio rpath wpath cpath fattr flock getpw", NULL) == -1)
> + err(1, "pledge");
> +
> if (what == LIST && (dmode || emode))
> what = MODECH;
