Move pledge to after getopt, when the finger program becomes known

(defaults to /usr/bin/finger, but can be redefined with -P option).
Then unveil that program for "x" (execution), and pledge as before.
No other filesystem accesses occur after that point.

1 files changed, 6 insertions, 4 deletions

diff --git a/libexec/fingerd/fingerd.c b/libexec/fingerd/fingerd.c
index e93effce434..647b6f57cbc 100644
--- a/libexec/fingerd/fingerd.c
+++ b/libexec/fingerd/fingerd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fingerd.c,v 1.39 2015/11/13 01:26:33 deraadt Exp $	*/
+/*	$OpenBSD: fingerd.c,v 1.40 2018/08/03 15:14:18 deraadt Exp $	*/
 
 /*
  * Copyright (c) 1983, 1993
@@ -68,9 +68,6 @@ main(int argc, char *argv[])
 	char **ap, *av[ENTRIES + 1], line[8192], *lp, *hname;
 	char hostbuf[HOST_NAME_MAX+1];
 
-	if (pledge("stdio inet dns proc exec", NULL) == -1)
-		err(1, "pledge");
-
 	prog = _PATH_FINGER;
 	logging = secure = user_required = short_list = 0;
 	openlog("fingerd", LOG_PID, LOG_DAEMON);
@@ -111,6 +108,11 @@ main(int argc, char *argv[])
 			usage();
 		}
 
+	if (unveil(prog, "x") == -1)
+		err(1, "unveil");
+	if (pledge("stdio inet dns proc exec", NULL) == -1)
+		err(1, "pledge");
+
 	if (logging) {
 		struct sockaddr_storage ss;
 		struct sockaddr *sa;