Pledge before authentication when possible

Generally, pleding before parsing the file seems hardly possible due to
unveil() being involved.

Pledging in case of the winning rule being a "persist" one is not possible
either due to TIOC{SET,CHK}VERAUTH not being allowed in the "tty" pledge.

But if "persist" is not used, we can pledge before authentication
without having to hoist or chang anything.

Feedback deraadt tedu
OK tdeu

diff --git a/usr.bin/doas/doas.c b/usr.bin/doas/doas.c
index 12ccf25..ff3a59c 100644 (file)
--- a/usr.bin/doas/doas.c
+++ b/usr.bin/doas/doas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.c,v 1.86 2021/01/16 09:18:41 martijn Exp $ */
+/* $OpenBSD: doas.c,v 1.87 2021/01/20 07:30:51 kn Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -206,11 +206,15 @@ authuser(char *myname, char *login_style, int persist)
        auth_session_t *as;
        int fd = -1;
 
-       if (persist)
+       if (persist) {
                fd = open("/dev/tty", O_RDWR);
-       if (fd != -1) {
-               if (ioctl(fd, TIOCCHKVERAUTH) == 0)
-                       goto good;
+               if (fd != -1) {
+                       if (ioctl(fd, TIOCCHKVERAUTH) == 0)
+                               goto good;
+               }
+       } else {
+               if (pledge("stdio rpath getpw exec id unveil", NULL) == -1)
+                       err(1, "pledge");
        }
 
        if (!(as = auth_userchallenge(myname, login_style, "auth-doas",