From a5617f5ed0f796652921ad76efd0c748acc68995 Mon Sep 17 00:00:00 2001 From: deraadt Date: Fri, 3 Aug 2018 17:09:22 +0000 Subject: [PATCH] Move pledge after getopt when we know whether the operation is reboot, powerdown, halt, or singleuser. Before pledge, unveil access to /dev/console, /etc/rc for singleuser entry, execute of /usr/bin/wall to alert users, and creation of the fastboot and nologin files. Also conditionally allow execute of halt, reboot, or the shell depending on mode. Believe all scenarios were tested -- please exercise this one a bit. --- sbin/shutdown/shutdown.c | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/sbin/shutdown/shutdown.c b/sbin/shutdown/shutdown.c index 28cf8ff9d77..d28eb676172 100644 --- a/sbin/shutdown/shutdown.c +++ b/sbin/shutdown/shutdown.c @@ -1,4 +1,4 @@ -/* $OpenBSD: shutdown.c,v 1.51 2018/04/07 19:08:13 cheloha Exp $ */ +/* $OpenBSD: shutdown.c,v 1.52 2018/08/03 17:09:22 deraadt Exp $ */ /* $NetBSD: shutdown.c,v 1.9 1995/03/18 15:01:09 cgd Exp $ */ /* @@ -113,9 +113,6 @@ main(int argc, char *argv[]) int arglen, ch, len, readstdin = 0; pid_t forkpid; - if (pledge("stdio rpath wpath cpath getpw tty id proc exec", NULL) == -1) - err(1, "pledge"); - #ifndef DEBUG if (geteuid()) errx(1, "NOT super-user"); @@ -167,6 +164,30 @@ main(int argc, char *argv[]) warnx("incompatible switches -p and -r."); usage(); } + + if (unveil(_PATH_CONSOLE, "rw") == -1) + err(1, "unveil"); + if (unveil(_PATH_RC, "r") == -1) + err(1, "unveil"); + if (unveil(_PATH_WALL, "x") == -1) + err(1, "unveil"); + if (unveil(_PATH_FASTBOOT, "wc") == -1) + err(1, "unveil"); + if (unveil(_PATH_NOLOGIN, "wc") == -1) + err(1, "unveil"); + if (dohalt || dopower) { + if (unveil(_PATH_HALT, "x") == -1) + err(1, "unveil"); + } else if (doreboot) { + if (unveil(_PATH_REBOOT, "x") == -1) + err(1, "unveil"); + } else { + if (unveil(_PATH_BSHELL, "x") == -1) + err(1, "unveil"); + } + if (pledge("stdio rpath wpath cpath getpw tty id proc exec", NULL) == -1) + err(1, "pledge"); + getoffset(*argv++); if (*argv) { -- 2.20.1