add unveil(2) to vipw(8)

The files needed to be unveiled directly or indirectly via libutil are the
following:
- _PATH_MASTERPASSWD_LOCK - write/create permissions
- _PATH_MASTERPASSWD - read permission
- _PATH_BSHELL - execute permission
- _PATH_PWD_MKDB - execute permission

_PATH_MASTERPASSWD gets read and then _PATH_MASTERPASSWD_LOCK is created and
the content of the former is written on the latter. After this _PATH_BSHELL
spawns an EDITOR (vi(1) by default) and at the end then _PATH_PWD_MKDB is ran
to update the _PATH_MASTERPASSWD based in what was actually changed in
_PATH_MASTERPASSWD_LOCK.

OK deraadt@

1 files changed, 10 insertions, 1 deletions

diff --git a/usr.sbin/vipw/vipw.c b/usr.sbin/vipw/vipw.c
index 5f6e0205d47..26a0d24ea42 100644
--- a/usr.sbin/vipw/vipw.c
+++ b/usr.sbin/vipw/vipw.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vipw.c,v 1.21 2017/07/12 23:10:28 jca Exp $	 */
+/*	$OpenBSD: vipw.c,v 1.22 2018/09/27 06:52:15 mestre Exp $	 */
 
 /*
  * Copyright (c) 1987, 1993, 1994
@@ -34,6 +34,7 @@
 
 #include <err.h>
 #include <fcntl.h>
+#include <paths.h>
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -62,6 +63,14 @@ main(int argc, char *argv[])
 	if (argc != 0)
 		usage();
 
+	if (unveil(_PATH_MASTERPASSWD_LOCK, "wc") == -1)
+		err(1, "unveil");
+	if (unveil(_PATH_MASTERPASSWD, "r") == -1)
+		err(1, "unveil");
+	if (unveil(_PATH_BSHELL, "x") == -1)
+		err(1, "unveil");
+	if (unveil(_PATH_PWD_MKDB, "x") == -1)
+		err(1, "unveil");
 	if (pledge("stdio rpath wpath cpath fattr proc exec", NULL) == -1)
 		err(1, "pledge");