Move pledge to after getopt, when the finger program becomes known

(defaults to /usr/bin/finger, but can be redefined with -P option).
Then unveil that program for "x" (execution), and pledge as before.
No other filesystem accesses occur after that point.

diff --git a/libexec/fingerd/fingerd.c b/libexec/fingerd/fingerd.c
index e93effc..647b6f5 100644 (file)
--- a/libexec/fingerd/fingerd.c
+++ b/libexec/fingerd/fingerd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: fingerd.c,v 1.39 2015/11/13 01:26:33 deraadt Exp $    */
+/*     $OpenBSD: fingerd.c,v 1.40 2018/08/03 15:14:18 deraadt Exp $    */
 
 /*
  * Copyright (c) 1983, 1993
@@ -68,9 +68,6 @@ main(int argc, char *argv[])
        char **ap, *av[ENTRIES + 1], line[8192], *lp, *hname;
        char hostbuf[HOST_NAME_MAX+1];
 
-       if (pledge("stdio inet dns proc exec", NULL) == -1)
-               err(1, "pledge");
-
        prog = _PATH_FINGER;
        logging = secure = user_required = short_list = 0;
        openlog("fingerd", LOG_PID, LOG_DAEMON);
@@ -111,6 +108,11 @@ main(int argc, char *argv[])
                        usage();
                }
 
+       if (unveil(prog, "x") == -1)
+               err(1, "unveil");
+       if (pledge("stdio inet dns proc exec", NULL) == -1)
+               err(1, "pledge");
+
        if (logging) {
                struct sockaddr_storage ss;
                struct sockaddr *sa;