On Tue, Oct 24, 2017 at 08:09:14AM -0600, Theo de Raadt wrote: > > I agree that it could be disappointing. but cpio is pledged, so it > > couldn't open /etc/spwd.db, because we considered this operation as > > a privilegied operation. > > > > in order to backup this file, you need another tool. someone already > > mentioned dump(8) as example. > > The solution is obvious. > > The control program outside can be pledged, but it will run a non-pledged > components to access files. Which will be small, and contain no bugs. > > Why is there an assumption that all processes of a privsep program > have the same pledge? Quite often, some of them are very small, and > have no pledge.
Thank you to all who participated in this thread. I'm a tad wiser now, but it was hard work. At last I'd like to give the community a small present, if it's wanted. So that efforts don't seem like a total waste of time. Extra thanks to Daniel, Theo and Sebastien. Patch to open manpage after my signature. -peter Index: open.2 =================================================================== RCS file: /cvs/src/lib/libc/sys/open.2,v retrieving revision 1.49 diff -u -p -u -r1.49 open.2 --- open.2 19 Jan 2015 15:54:11 -0000 1.49 +++ open.2 24 Oct 2017 14:28:30 -0000 @@ -235,6 +235,10 @@ and .Fn openat functions will fail if: .Bl -tag -width Er +.It Bq Er EPERM +When opening a special file and the program has requested certain +.Xr pledge 2 +promises. .It Bq Er ENOTDIR A component of the path prefix is not a directory. .It Bq Er ENOTDIR