diff options
| author |   mestre <mestre@openbsd.org> | 2019-04-30 18:28:45 +0000 |
|---|---|---|
| committer | mestre <mestre@openbsd.org> | 2019-04-30 18:28:45 +0000 |
| commit | 94b01cd7456f2a8f17463dd5364de77c9ba1f723 (patch) | |
| tree | 536edfd824d6f003a61b9ba165ce69145643aeb1 | |
| parent | fix disktype related typo (diff) | |
| download | wireguard-openbsd-94b01cd7456f2a8f17463dd5364de77c9ba1f723.tar.xz wireguard-openbsd-94b01cd7456f2a8f17463dd5364de77c9ba1f723.zip | |
add unveil(2):
chpass(1) without parameters enters in edit mode by default, in here it will
need to execute _PATH_BSHELL to spawn a new EDITOR, _PATH_SHELLS to check
(read) if we are changing from/to a non-standard shell (in case we are not
root) and read access to `tempname' to verify if the file has valid entries and
create to unlink it.
If -s is used to change a user's shell then it will need read access to
_PATH_SHELLS by the same reason already mentioned above.
Unconditionally we need to unveil _PATH_MASTERPASSWD_LOCK with write/create
permissions, _PATH_MASTERPASSWD with read and _PATH_PWD_MKDB to execute
pwd_mkdb(8).
In the -a case I'm not unveiling /etc/spwd.db since we can get it through
pledge "getpw", which can be added later for completeness of all code paths.
Note also that the first pledges need "unveil" since we will call unveil(2)
afterwards.
"looks good" deraadt@
| -rw-r--r-- | usr.bin/chpass/chpass.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/usr.bin/chpass/chpass.c b/usr.bin/chpass/chpass.c index 1c1836c800a..60fd6a147c9 100644 --- a/usr.bin/chpass/chpass.c +++ b/usr.bin/chpass/chpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chpass.c,v 1.44 2017/12/08 17:04:15 deraadt Exp $ */ +/* $OpenBSD: chpass.c,v 1.45 2019/04/30 18:28:45 mestre Exp $ */ /* $NetBSD: chpass.c,v 1.8 1996/05/15 21:50:43 jtc Exp $ */ /*- @@ -136,7 +136,13 @@ main(int argc, char *argv[]) pw_error(tempname, 1, 1); display(tempname, dfd, pw); - if (pledge("stdio rpath wpath cpath id proc exec", + if (unveil(_PATH_BSHELL, "x") == -1) + err(1, "unveil"); + if (unveil(_PATH_SHELLS, "r") == -1) + err(1, "unveil"); + if (unveil(tempname, "rc") == -1) + err(1, "unveil"); + if (pledge("stdio rpath wpath cpath id proc exec unveil", NULL) == -1) err(1, "pledge"); @@ -158,7 +164,9 @@ main(int argc, char *argv[]) } if (op == NEWSH) { - if (pledge("stdio rpath wpath cpath id proc exec", + if (unveil(_PATH_SHELLS, "r") == -1) + err(1, "unveil"); + if (pledge("stdio rpath wpath cpath id proc exec unveil", NULL) == -1) err(1, "pledge"); @@ -175,6 +183,12 @@ main(int argc, char *argv[]) sigdelset(&fullset, SIGINT); sigprocmask(SIG_BLOCK, &fullset, NULL); + if (unveil(_PATH_MASTERPASSWD_LOCK, "wc") == -1) + err(1, "unveil"); + if (unveil(_PATH_MASTERPASSWD, "r") == -1) + err(1, "unveil"); + if (unveil(_PATH_PWD_MKDB, "x") == -1) + err(1, "unveil"); if (pledge("stdio rpath wpath cpath proc exec", NULL) == -1) err(1, "pledge"); |