On 2020-05-29, Luke Small <lukensm...@gmail.com> wrote: > unveil is nowhere to be found in the ftp program source code. There’s > probably another way to do it, but I wrote a program and searched all files > in /usr/src/usr.bin/ftp/ contain no mention of “unveil”, but It mentions > “pledge” > > It could take 3 lines at line 389 in /usr/src/usr.bin/ftp/main.c: > if (strcmp(outfile, "-")) > if (unveil(outfile, "cw") == -1) > err(1, "unveil"); > > and an unveil for whatever (I presume config file(s)) ftp reads and > whatever is executed.
If you look at what ftp(1) does you'll see that way more is needed: cookie file (set on the command line) tls session storage (set on the command line) user database files for getpwnam ~/.netrc (directory name found from user database) files fetched with file: URLs (set on the command line) X.509 certificates (-T cafile/capath on the command line, but with capath the files in the stated directory are often symlinks that would need to be resolved). Some of these could be avoided by building up a path list first and deferring the unveil call until after init. That is more complex though. And then unless you add more complexity it only works with ftp -o (and can never work with interactive mode). > It has rpath and exec among other pledges, but has cpath and wpath only if > a file is specified with the ‘-o’ flag. It has cpath and wpath in all cases except when you use "-o -".
