htpasswd(1) when in batch mode (-I) and 1 argument is used, or when not in

batch mode and 2 arguments are used we know we have to access argv[0] with rwc
permissions and also to rwc a temporary file in /tmp so we can unveil(2) both
argv[0] and /tmp with rwc permissions. In order to avoid adding "unveil" to
pledge(2), just call it after getopt(3).

Remaining code paths already have fs access disabled via pledge(2).

OK florian@ deraadt@

1 files changed, 10 insertions, 4 deletions

diff --git a/usr.bin/htpasswd/htpasswd.c b/usr.bin/htpasswd/htpasswd.c
index e5c95dfcaad..85a7f5ccece 100644
--- a/usr.bin/htpasswd/htpasswd.c
+++ b/usr.bin/htpasswd/htpasswd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: htpasswd.c,v 1.16 2017/06/07 09:11:52 awolk Exp $ */
+/*	$OpenBSD: htpasswd.c,v 1.17 2018/10/31 07:39:10 mestre Exp $ */
 /*
  * Copyright (c) 2014 Florian Obser <florian@openbsd.org>
  *
@@ -57,9 +57,6 @@ main(int argc, char** argv)
 	ssize_t linelen;
 	mode_t old_umask;
 
-	if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
-		err(1, "pledge");
-
 	while ((c = getopt(argc, argv, "I")) != -1) {
 		switch (c) {
 		case 'I':
@@ -75,6 +72,15 @@ main(int argc, char** argv)
 	argc -= optind;
 	argv += optind;
 
+	if ((batch && argc == 1) || (!batch && argc == 2)) {
+		if (unveil(argv[0], "rwc") == -1)
+			err(1, "unveil");
+		if (unveil("/tmp", "rwc") == -1)
+			err(1, "unveil");
+	}
+	if (pledge("stdio rpath wpath cpath flock tmppath tty", NULL) == -1)
+		err(1, "pledge");
+
 	if (batch) {
 		if (argc == 1)
 			file = argv[0];