Re: Pledge failure in nc(1)

Sat, 28 May 2016 12:53:18 -0700 

Nice catch, and the right analysis.. Thanks Anthony. I think that can
be committed

I don't think we will get away from a bit of a maze there without
deprecating nc options, so
IMO this is fine.


On Sat, May 28, 2016 at 12:36 PM, Anthony Coulter
<[email protected]> wrote:
> When nc(1) tries to connect through an HTTP proxy that requires
> authentication, nc calls readpassphrase(3) and aborts. Pledging "tty"
> fixes this problem, but you'll notice that the diff has a lot of nasty
> branches. My failure to check Pflag when connecting over unix sockets
> is not an oversight; nc does not support that configuration.
>
> To reproduce the failure without setting up a real HTTP proxy, open
> two terminals and run nc as a coprocess in the first. The following
> session causes a core dump:
>   (tty1)$ nc -lk 8080 |&
>   (tty2)$ nc -Xconnect -xlocalhost:8080 -Puser localhost 8081
>   (tty1)$ print -np "HTTP/1.0 407 Authentication Required\r\n\r\n"
>   (tty2) Abort trap (core dumped)
>
>
> Index: netcat.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/nc/netcat.c,v
> retrieving revision 1.150
> diff -u -p -r1.150 netcat.c
> --- netcat.c    4 Jan 2016 02:18:31 -0000       1.150
> +++ netcat.c    28 May 2016 18:33:30 -0000
> @@ -323,7 +323,13 @@ main(int argc, char *argv[])
>                 if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == 
> -1)
>                         err(1, "pledge");
>         } else if (Fflag) {
> -               if (pledge("stdio inet dns sendfd", NULL) == -1)
> +               if (Pflag) {
> +                       if (pledge("stdio inet dns sendfd tty", NULL) == -1)
> +                               err(1, "pledge");
> +               } else if (pledge("stdio inet dns sendfd", NULL) == -1)
> +                       err(1, "pledge");
> +       } else if (Pflag) {
> +               if (pledge("stdio inet dns tty", NULL) == -1)
>                         err(1, "pledge");
>         } else if (usetls) {
>                 if (pledge("stdio rpath inet dns", NULL) == -1)
> @@ -434,7 +440,10 @@ main(int argc, char *argv[])
>                 if (Kflag && (privkey = tls_load_file(Kflag, &privkeylen, 
> NULL)) == NULL)
>                         errx(1, "unable to load TLS key file %s", Kflag);
>
> -               if (pledge("stdio inet dns", NULL) == -1)
> +               if (Pflag) {
> +                       if (pledge("stdio inet dns tty", NULL) == -1)
> +                               err(1, "pledge");
> +               } else if (pledge("stdio inet dns", NULL) == -1)
>                         err(1, "pledge");
>
>                 if (tls_init() == -1)
>

Reply via email to