summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKlemens Nanni <kn@cvs.openbsd.org>2023-11-09 18:54:16 +0000
committerKlemens Nanni <kn@cvs.openbsd.org>2023-11-09 18:54:16 +0000
commitf90b9bee2332d123cfac9f3d91ac5bed9be638a5 (patch)
treeed799adb57d00844c33221511763d6ca1a88c3d7
parent9aef625730c7d81a8845b5aaf40b258c75c4b46a (diff)
Tighten pledge in List and Append mode:
Drop "wpath cpath fattr dpath" in read-only: - cpio -i -t < test.tar - pax < test.tar - tar -t -f test.tar Drop "cpath fattr dpath" in read-write: - echo foo | cpio -o -A -H ustar -O test.tar - tar -r -f test.tar foo - pax -w -a -f test.tar foo Other modes remain unchanged and thus can create or modify files. Feedback OK millert
-rw-r--r--bin/pax/ar_io.c15
-rw-r--r--bin/pax/pax.c33
2 files changed, 37 insertions, 11 deletions
diff --git a/bin/pax/ar_io.c b/bin/pax/ar_io.c
index ddbd36ee720..ab0ea929819 100644
--- a/bin/pax/ar_io.c
+++ b/bin/pax/ar_io.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ar_io.c,v 1.63 2019/06/28 13:34:59 deraadt Exp $ */
+/* $OpenBSD: ar_io.c,v 1.64 2023/11/09 18:54:15 kn Exp $ */
/* $NetBSD: ar_io.c,v 1.5 1996/03/26 23:54:13 mrg Exp $ */
/*-
@@ -1261,9 +1261,16 @@ ar_start_gzip(int fd, const char *path, int wr)
close(fds[1]);
if (pmode == 0 || (act != EXTRACT && act != COPY)) {
- if (pledge("stdio rpath wpath cpath fattr dpath getpw proc tape",
- NULL) == -1)
- err(1, "pledge");
+ if (act == LIST) {
+ if (pledge("stdio rpath getpw proc tape",
+ NULL) == -1)
+ err(1, "pledge");
+ /* can not gzip while appending */
+ } else {
+ if (pledge("stdio rpath wpath cpath fattr dpath getpw proc tape",
+ NULL) == -1)
+ err(1, "pledge");
+ }
}
} else {
if (wr) {
diff --git a/bin/pax/pax.c b/bin/pax/pax.c
index f86ba6d7ceb..1bdb6160bd5 100644
--- a/bin/pax/pax.c
+++ b/bin/pax/pax.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pax.c,v 1.55 2023/10/15 09:49:57 kn Exp $ */
+/* $OpenBSD: pax.c,v 1.56 2023/11/09 18:54:15 kn Exp $ */
/* $NetBSD: pax.c,v 1.5 1996/03/26 23:54:20 mrg Exp $ */
/*-
@@ -273,13 +273,32 @@ main(int argc, char **argv)
if (pmode == 0 || (act != EXTRACT && act != COPY)) {
/* Copy mode, or no gzip -- don't need to fork/exec. */
if (gzip_program == NULL || act == COPY) {
- if (pledge("stdio rpath wpath cpath fattr dpath getpw tape",
- NULL) == -1)
- err(1, "pledge");
+ /* List mode -- don't need to write/create/modify files. */
+ if (act == LIST) {
+ if (pledge("stdio rpath getpw tape",
+ NULL) == -1)
+ err(1, "pledge");
+ /* Append mode -- don't need to create/modify files. */
+ } else if (act == APPND) {
+ if (pledge("stdio rpath wpath getpw tape",
+ NULL) == -1)
+ err(1, "pledge");
+ } else {
+ if (pledge("stdio rpath wpath cpath fattr dpath getpw tape",
+ NULL) == -1)
+ err(1, "pledge");
+ }
} else {
- if (pledge("stdio rpath wpath cpath fattr dpath getpw proc exec tape",
- NULL) == -1)
- err(1, "pledge");
+ if (act == LIST) {
+ if (pledge("stdio rpath getpw proc exec tape",
+ NULL) == -1)
+ err(1, "pledge");
+ /* can not gzip while appending */
+ } else {
+ if (pledge("stdio rpath wpath cpath fattr dpath getpw proc exec tape",
+ NULL) == -1)
+ err(1, "pledge");
+ }
}
}