On Tue, Oct 24, 2017 at 01:31:32PM +0200, Sebastien Marie wrote:
> > This is why I asked if the pledge is too tight on cpio.
>
> I agree that it could be disappointing. but cpio is pledged, so it
> couldn't open /etc/spwd.db, because we considered this operation as
> a privilegied operation.
>
> in order to backup this file, you need another tool. someone already
> mentioned dump(8) as example.
So all an attacker has to do is call pledge() again, with LESS
permissive promises, i.e. giving up getpw?
#include <stdio.h>
#include <unistd.h>
int main()
{
if (pledge("stdio rpath getpw", NULL) == -1)
err("pledge");
printf("first fopen %s\n", fopen("/etc/spwd.db", "r") ?
"succeeded" : "failed");
if (pledge("stdio rpath", NULL) == -1)
err("pledge");
printf("second fopen %s\n", fopen("/etc/spwd.db", "r") ?
"succeeded" : "failed");
return 0;
}
first fopen failed
second fopen succeeded
Daniel
