su(1) tries to log the tty name for successful/failed logins, but
ontty()/ttyname() will currently not return anything useful because of
unveil.
This patch adds unveil for /var/run/dev.db. ttyname(3) has also a
fallback that would need /dev/. I left it out, because I don't know if
there is any use case and tty(1) also doesn't unveil it.
Index: usr.bin/su/su.c
===================================================================
RCS file: /cvs/src/usr.bin/su/su.c,v
retrieving revision 1.72
diff -u -p -u -r1.72 su.c
--- usr.bin/su/su.c 21 Oct 2018 13:18:19 -0000 1.72
+++ usr.bin/su/su.c 27 Jan 2019 22:11:08 -0000
@@ -166,6 +166,8 @@ main(int argc, char **argv)
err(1, "unveil");
if (unveil(_PATH_SHELLS, "r") == -1)
err(1, "unveil");
+ if (unveil(_PATH_DEVDB, "r") == -1)
+ err(1, "unveil");
for (;;) {
/* get target user, default to root unless in -L mode */
