Pledge for ftp(1) in non-interactive mode.

We will iterate and remove some of the pledges in the future.  This is
conservative for now.

Tested by sthen@ and myself.
ok deraadt@

diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c
index 3b1bc01..6b7dc34 100644 (file)
--- a/usr.bin/ftp/main.c
+++ b/usr.bin/ftp/main.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: main.c,v 1.102 2015/02/22 15:09:54 jsing Exp $        */
+/*     $OpenBSD: main.c,v 1.103 2015/10/16 05:35:19 doug Exp $ */
 /*     $NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $  */
 
 /*
@@ -442,6 +442,28 @@ main(volatile int argc, char *argv[])
 
        if (argc > 0) {
                if (isurl(argv[0])) {
+                       if (pipeout) {
+#ifndef SMALL
+                               if (pledge("stdio rpath tty inet fattr",
+                                   NULL) == -1)
+                                       err(1, "pledge");
+#else
+                               if (pledge("stdio rpath tty inet proc exec fattr",
+                                   NULL) == -1)
+                                       err(1, "pledge");
+#endif
+                       } else {
+#ifndef SMALL
+                               if (pledge("stdio rpath wpath cpath tty inet fattr",
+                                   NULL) == -1)
+                                       err(1, "pledge");
+#else
+                               if (pledge("stdio rpath wpath cpath tty inet proc exec fattr",
+                                   NULL) == -1)
+                                       err(1, "pledge");
+#endif
+                       }
+
                        rval = auto_fetch(argc, argv, outfile);
                        if (rval >= 0)          /* -1 == connected and cd-ed */
                                exit(rval);