From: kn <kn@openbsd.org>
Date: Wed, 20 Jan 2021 07:30:51 +0000 (+0000)
Subject: Pledge before authentication when possible
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f553ed3cbd0a46607da126d798f48f798014a836;p=openbsd

Pledge before authentication when possible

Generally, pleding before parsing the file seems hardly possible due to
unveil() being involved.

Pledging in case of the winning rule being a "persist" one is not possible
either due to TIOC{SET,CHK}VERAUTH not being allowed in the "tty" pledge.

But if "persist" is not used, we can pledge before authentication
without having to hoist or chang anything.

Feedback deraadt tedu
OK tdeu
---

diff --git a/usr.bin/doas/doas.c b/usr.bin/doas/doas.c
index 12ccf25c970..ff3a59c881d 100644
--- a/usr.bin/doas/doas.c
+++ b/usr.bin/doas/doas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.c,v 1.86 2021/01/16 09:18:41 martijn Exp $ */
+/* $OpenBSD: doas.c,v 1.87 2021/01/20 07:30:51 kn Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -206,11 +206,15 @@ authuser(char *myname, char *login_style, int persist)
 	auth_session_t *as;
 	int fd = -1;
 
-	if (persist)
+	if (persist) {
 		fd = open("/dev/tty", O_RDWR);
-	if (fd != -1) {
-		if (ioctl(fd, TIOCCHKVERAUTH) == 0)
-			goto good;
+		if (fd != -1) {
+			if (ioctl(fd, TIOCCHKVERAUTH) == 0)
+				goto good;
+		}
+	} else {
+		if (pledge("stdio rpath getpw exec id unveil", NULL) == -1)
+			err(1, "pledge");
 	}
 
 	if (!(as = auth_userchallenge(myname, login_style, "auth-doas",