Hi,
htpasswd(1) when in batch mode (-I) and 1 argument is used, or when not in
batch mode and 2 arguments are used we know we have to access argv[0] with rwc
permissions and also to rwc a temporary file in /tmp so we can unveil(2) both
argv[0] and /tmp with rwc permissions. In order to avoid adding "unveil" to
pledge(2), just call it after getopt(3).
Remaining code paths already have fs access disabled via pledge(2).
Comments? OK?
Index: htpasswd.c
===================================================================
RCS file: /cvs/src/usr.bin/htpasswd/htpasswd.c,v
retrieving revision 1.16
diff -u -p -u -r1.16 htpasswd.c
--- htpasswd.c 7 Jun 2017 09:11:52 -0000 1.16
+++ htpasswd.c 30 Oct 2018 08:55:45 -0000
@@ -57,9 +57,6 @@ main(int argc, char** argv)
ssize_t linelen;
mode_t old_umask;
- if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
- err(1, "pledge");
-
while ((c = getopt(argc, argv, "I")) != -1) {
switch (c) {
case 'I':
@@ -74,6 +71,15 @@ main(int argc, char** argv)
argc -= optind;
argv += optind;
+
+ if ((batch && argc == 1) || (!batch && argc == 2)) {
+ if (unveil(argv[0], "rwc") == -1)
+ err(1, "unveil");
+ if (unveil("/tmp", "rwc") == -1)
+ err(1, "unveil");
+ }
+ if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
+ err(1, "pledge");
if (batch) {
if (argc == 1)
