htpasswd(1) when in batch mode (-I) and 1 argument is used, or when not in

batch mode and 2 arguments are used we know we have to access argv[0] with rwc permissions and also to rwc a temporary file in /tmp so we can unveil(2) both argv[0] and /tmp with rwc permissions. In order to avoid adding "unveil" to pledge(2), just call it after getopt(3). Remaining code paths already have fs access disabled via pledge(2). OK florian@ deraadt@
2025-01-10 06:47:55 -08:00 · 2018-10-31 07:39:10 +00:00 · 2018-10-31 07:39:10 +00:00 · ed9cd39626
commit ed9cd39626
parent c77a80b279
1 changed files with 10 additions and 4 deletions
--- a/usr.bin/htpasswd/htpasswd.c
+++ b/usr.bin/htpasswd/htpasswd.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: htpasswd.c,v 1.16 2017/06/07 09:11:52 awolk Exp $ */
+/*	$OpenBSD: htpasswd.c,v 1.17 2018/10/31 07:39:10 mestre Exp $ */
 /*
 * Copyright (c) 2014 Florian Obser <florian@openbsd.org>
 *
@ -57,9 +57,6 @@ main(int argc, char** argv)
 	ssize_t linelen;
 	mode_t old_umask;

-	if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
-		err(1, "pledge");
-
 	while ((c = getopt(argc, argv, "I")) != -1) {
 		switch (c) {
 		case 'I':
@ -75,6 +72,15 @@ main(int argc, char** argv)
 	argc -= optind;
 	argv += optind;

+	if ((batch && argc == 1) || (!batch && argc == 2)) {
+		if (unveil(argv[0], "rwc") == -1)
+			err(1, "unveil");
+		if (unveil("/tmp", "rwc") == -1)
+			err(1, "unveil");
+	}
+	if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
+		err(1, "pledge");
+
 	if (batch) {
 		if (argc == 1)
 			file = argv[0];