Use a strict $PATH of "/usr/bin:/usr/local/bin" to run the (de)compressors

(gzip, compress, bzip2) rather than following the user's path.  This
seems easier than hardcoding the paths elsewhere and using basename().

pax/tar is pledged itself, but it can spawn one of these programs if
asked.  The three found at the strict path use pledge "stdio" very early
during startup, providing a warm fuzzy pledge->exec->no-pledge->pledge
interlock.  For bzip2, this assumes use of the ports/packages version
installed to /usr/local/bin, which has been pledged by sthen@.

Doing a 'tar tvfz hostile.tgz' becomes a bit safer, since an attacker
finding a buffer overflow or use after free has significantly fewer
system calls available (only pledge "stdio" in the decompressor).

ok millert sthen

diff --git a/bin/pax/ar_io.c b/bin/pax/ar_io.c
index 8db2332..8f313de 100644 (file)
--- a/bin/pax/ar_io.c
+++ b/bin/pax/ar_io.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ar_io.c,v 1.53 2015/10/12 14:01:06 semarie Exp $      */
+/*     $OpenBSD: ar_io.c,v 1.54 2015/10/14 20:57:28 deraadt Exp $      */
 /*     $NetBSD: ar_io.c,v 1.5 1996/03/26 23:54:13 mrg Exp $    */
 
 /*-
@@ -1278,6 +1278,10 @@ ar_start_gzip(int fd, const char *path, int wr)
                }
                close(fds[0]);
                close(fds[1]);
+
+               /* System compressors are more likely to use pledge(2) */
+               putenv("PATH=/usr/bin:/usr/local/bin");
+
                if (execlp(path, path, gzip_flags, (char *)NULL) < 0)
                        err(1, "could not exec %s", path);
                /* NOTREACHED */