> I agree that it could be disappointing. but cpio is pledged, so it > couldn't open /etc/spwd.db, because we considered this operation as > a privilegied operation. > > in order to backup this file, you need another tool. someone already > mentioned dump(8) as example.
The solution is obvious. The control program outside can be pledged, but it will run a non-pledged components to access files. Which will be small, and contain no bugs. Why is there an assumption that all processes of a privsep program have the same pledge? Quite often, some of them are very small, and have no pledge.
