From 4236b3edc9da8c3d594722901263adc4e4205d5f Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Thu, 15 Jun 2017 19:37:10 +0000
Subject: [PATCH] Finer grained pledge for at(1).  After setegid(), do a
 three-way pledge: For AT and BATCH:	"stdio rpath wpath cpath fattr getpw
 unix" For ATRM:		"stdio rpath cpath getpw unix" For ATQ and
 CAT:	"stdio rpath getpw" "unix" is needed for poke_daemon() and "fattr" to
 chmod +x spoolfile.

idea and ok millert
---
 usr.bin/at/at.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/usr.bin/at/at.c b/usr.bin/at/at.c
index 16a96a7baf4..21936c15e88 100644
--- a/usr.bin/at/at.c
+++ b/usr.bin/at/at.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: at.c,v 1.80 2017/06/07 23:36:43 millert Exp $	*/
+/*	$OpenBSD: at.c,v 1.81 2017/06/15 19:37:10 tb Exp $	*/
 
 /*
  *  at.c : Put file into atrun queue
@@ -991,9 +991,26 @@ main(int argc, char **argv)
 			if (setegid(spool_gid) != 0)
 				fatal("setegid(spool_gid)");
 		}
+
+		if (pledge("stdio rpath wpath cpath fattr getpw unix", NULL)
+		    == -1)
+			fatal("pledge");
+		break;
+
+	case ATQ:
+	case CAT:
+		if (pledge("stdio rpath getpw", NULL) == -1)
+			fatal("pledge");
+		break;
+
+	case ATRM:
+		if (pledge("stdio rpath cpath getpw unix", NULL) == -1)
+			fatal("pledge");
 		break;
+
 	default:
-		;
+		fatalx("internal error");
+		break;
 	}
 
 	if ((pw = getpwuid(user_uid)) == NULL)
-- 
2.20.1