Hi,
I'm debugging a program that doesn't work around reading /etc/spwd.db. In
a ktrace it gives this:
78130 rbdaemon CALL open(0xeca79d7b000,0<O_RDONLY>)
78130 rbdaemon NAMI "/etc/spwd.db"
78130 rbdaemon RET open -1 errno 1 Operation not permitted
When I take the pledge code out which is:
if (pledge("stdio cpath rpath wpath inet dns exec getpw proc", NULL)...
Then the program gets further but stalls upon the forked executed cpio that
it calls (cpio is reading /etc/spwd.db).
It took me ages to find out it's a pledge that's doing it and I looked at this
code and it looks like this in /sys/kern/kern_pledge.c:
/* getpw* and friends need a few files */
if ((ni->ni_pledge == PLEDGE_RPATH) &&
(p->p_p->ps_pledge & PLEDGE_GETPW)) {
if (strcmp(path, "/etc/spwd.db") == 0)
return (EPERM); /* don't call pledge_fail */
if (strcmp(path, "/etc/pwd.db") == 0)
return (0);
if (strcmp(path, "/etc/group") == 0)
return (0);
if (strcmp(path, "/etc/netid") == 0)
return (0);
}
So it shows that this is where the EPERM is coming from. So I have to question
the logic of this statement, if we have "rpath getpw" then return EPERM on
/etc/spwd.db reads. Is that right?
should it not be '!(p->p_p->ps_pledge & PLEDGE_GETPW)' here? So as to, if we
have rpath in our pledges and don't have getpw then EPERM on spwd.db reads?
Funnily what's happening now is to the contrary of the manpage to getpw:
getpw This allows read-only opening of files in /etc for the
getpwnam(3), getgrnam(3), getgrouplist(3), and
initgroups(3) family of functions. They may also need to
operate in a yp(8) environment, so a successful open(2) of
/var/run/ypbind.lock enables inet operations.
Maybe I'm reading all code wrong, so how would I fix this? I just need to
somehow read these files...and be pledged.
My system is 6.2.
Regards,
-peter
