Download raw body.
gotd auth unveil
Remove filesystem access via bind(2) from gotd's auth process. See the added comment for rationale, and keep in mind that AF_UNIX bind(2) requires unveil "w". ok? diff 365cf0f34d08316d433e730a8663283029f729b3 e5a2e986b1e0218e92b07c306c988228361d287a commit - 365cf0f34d08316d433e730a8663283029f729b3 commit + e5a2e986b1e0218e92b07c306c988228361d287a blob - 05f659daea632d0e305556351e4d6a5e97519fa0 blob + df8e6d3dd6fc2d0d820022d725c5ad99e5c3d54b --- gotd/gotd.c +++ gotd/gotd.c @@ -2582,9 +2582,18 @@ main(int argc, char **argv) break; case PROC_AUTH: #ifndef PROFILE - if (pledge("stdio getpw recvfd unix", NULL) == -1) + if (pledge("stdio getpw recvfd unix unveil", NULL) == -1) err(1, "pledge"); #endif + /* + * We need the "unix" pledge promise for getpeername(2) only. + * Ensure that AF_UNIX bind(2) cannot be used by revoking all + * filesystem access via unveil(2). Access to password database + * files will still work since "getpw" bypasses unveil(2). + */ + if (unveil(NULL, NULL) == -1) + fatal("unveil"); + auth_main(title, &gotd.repos, repo_path); /* NOTREACHED */ break;
gotd auth unveil