From: deraadt Date: Mon, 12 Oct 2015 05:05:24 +0000 (+0000) Subject: preservation modes can adjust setugid bits, so no pledge is possible. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=284f68dbad454d03549a697187015f8707789399;p=openbsd preservation modes can adjust setugid bits, so no pledge is possible. Otherwise, lay the groundwork for whether a gzip program may be run or not. After such a gzip program is started, pledge the program will not exec again. Took a few iterations to get this going... it is looking good. with guenther. --- diff --git a/bin/pax/ar_io.c b/bin/pax/ar_io.c index 15d94ec7aee..1d9717c20f0 100644 --- a/bin/pax/ar_io.c +++ b/bin/pax/ar_io.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ar_io.c,v 1.50 2015/03/22 03:15:00 guenther Exp $ */ +/* $OpenBSD: ar_io.c,v 1.51 2015/10/12 05:05:24 deraadt Exp $ */ /* $NetBSD: ar_io.c,v 1.5 1996/03/26 23:54:13 mrg Exp $ */ /*- @@ -1260,6 +1260,10 @@ ar_start_gzip(int fd, const char *path, int wr) dup2(fds[0], fd); close(fds[0]); close(fds[1]); + + if (pledge("stdio rpath wpath cpath fattr getpw ioctl proc", + NULL) == -1) + err(1, "pledge"); } else { if (wr) { dup2(fds[0], STDIN_FILENO); diff --git a/bin/pax/pax.c b/bin/pax/pax.c index edb08caec38..fd399241338 100644 --- a/bin/pax/pax.c +++ b/bin/pax/pax.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pax.c,v 1.41 2015/03/09 04:23:29 guenther Exp $ */ +/* $OpenBSD: pax.c,v 1.42 2015/10/12 05:05:24 deraadt Exp $ */ /* $NetBSD: pax.c,v 1.5 1996/03/26 23:54:20 mrg Exp $ */ /*- @@ -256,6 +256,23 @@ main(int argc, char **argv) if ((gen_init() < 0) || (tty_init() < 0)) return(exit_val); + /* + * pmode needs to restore setugid bits when extracting or copying, + * so can't tame at all then. + */ + if (pmode == 0 || (act != EXTRACT && act != COPY)) { + if (pledge("stdio rpath wpath cpath fattr getpw ioctl proc exec", + NULL) == -1) + err(1, "pledge"); + + /* Copy mode, or no gzip -- don't need to fork/exec. */ + if (gzip_program == NULL || act == COPY) { + if (pledge("stdio rpath wpath fattr cpath getpw ioctl", + NULL) == -1) + err(1, "pledge"); + } + } + /* * select a primary operation mode */