From 239b4933a2ebe0dff879a3d0dfd900ecc1426083 Mon Sep 17 00:00:00 2001 From: deraadt Date: Mon, 24 Sep 2018 21:30:00 +0000 Subject: [PATCH] unveil(2) in getty. This has been in snaps for more than 2 months, since I worry that a mistake in here will cause significant grief. --- libexec/getty/main.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/libexec/getty/main.c b/libexec/getty/main.c index b55bd1a3846..6032432d7fa 100644 --- a/libexec/getty/main.c +++ b/libexec/getty/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.48 2017/05/29 04:40:35 deraadt Exp $ */ +/* $OpenBSD: main.c,v 1.49 2018/09/24 21:30:00 deraadt Exp $ */ /*- * Copyright (c) 1980, 1993 @@ -169,6 +169,19 @@ main(int argc, char *argv[]) ioctl(0, FIOASYNC, &off); /* turn off async mode */ + if (unveil("/usr/bin/login", "x") == -1) { + syslog(LOG_ERR, "%s: %m", tname); + exit(1); + } + if (unveil(_PATH_GETTYTAB, "r") == -1) { + syslog(LOG_ERR, "%s: %m", tname); + exit(1); + } + if (unveil("/dev", "rw") == -1) { + syslog(LOG_ERR, "%s: %m", tname); + exit(1); + } + /* * The following is a work around for vhangup interactions * which cause great problems getting window systems started. -- 2.20.1