CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/03/07 11:35:43
Modified files:
usr.bin/ssh : ssh-agent.c
Log message:
With it's own daemonization / fd cleaning code, ssh-agent opens /dev/null
O_RDWR after a pledge without "wpath". This is allowed in current pledge
because "/dev/null" is implicitly allowed to be opened even with the most
restrictive pledges or unveils. This is a design decision in pledge made
at the very beginning, to satisfy libc requirements. We've finally had
enough experience and know how to fix that in the near-future, but need
to review and fix all code which opens these implicit paths.
The fix is to add "wpath", so that "/dev/null" can be opened O_RDWR.
But that is uncomfortable, so we add unveil() allowing "/" with "r",
4 unveil "x" for the potential askpass and helpers to be execve'd,
and "/dev/null" with "wr". As a result filesystem access is substantially
more restricted than before, and ssh-agent is ready for the future pledge
change.
ok djm dtucker
