Re: Pledge failure in nc(1)

Sat, 28 May 2016 13:00:06 -0700 

On Sat, May 28, 2016 at 01:47:22PM -0600, Bob Beck wrote:
> Nice catch, and the right analysis.. Thanks Anthony. I think that can
> be committed
> 

ok tb@

> I don't think we will get away from a bit of a maze there without
> deprecating nc options, so
> IMO this is fine.
> 
> 
> On Sat, May 28, 2016 at 12:36 PM, Anthony Coulter
> <b...@anthonycoulter.name> wrote:
> > When nc(1) tries to connect through an HTTP proxy that requires
> > authentication, nc calls readpassphrase(3) and aborts. Pledging "tty"
> > fixes this problem, but you'll notice that the diff has a lot of nasty
> > branches. My failure to check Pflag when connecting over unix sockets
> > is not an oversight; nc does not support that configuration.
> >
> > To reproduce the failure without setting up a real HTTP proxy, open
> > two terminals and run nc as a coprocess in the first. The following
> > session causes a core dump:
> >   (tty1)$ nc -lk 8080 |&
> >   (tty2)$ nc -Xconnect -xlocalhost:8080 -Puser localhost 8081
> >   (tty1)$ print -np "HTTP/1.0 407 Authentication Required\r\n\r\n"
> >   (tty2) Abort trap (core dumped)
> >
> >
> > Index: netcat.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/nc/netcat.c,v
> > retrieving revision 1.150
> > diff -u -p -r1.150 netcat.c
> > --- netcat.c    4 Jan 2016 02:18:31 -0000       1.150
> > +++ netcat.c    28 May 2016 18:33:30 -0000
> > @@ -323,7 +323,13 @@ main(int argc, char *argv[])
> >                 if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == 
> > -1)
> >                         err(1, "pledge");
> >         } else if (Fflag) {
> > -               if (pledge("stdio inet dns sendfd", NULL) == -1)
> > +               if (Pflag) {
> > +                       if (pledge("stdio inet dns sendfd tty", NULL) == -1)
> > +                               err(1, "pledge");
> > +               } else if (pledge("stdio inet dns sendfd", NULL) == -1)
> > +                       err(1, "pledge");
> > +       } else if (Pflag) {
> > +               if (pledge("stdio inet dns tty", NULL) == -1)
> >                         err(1, "pledge");
> >         } else if (usetls) {
> >                 if (pledge("stdio rpath inet dns", NULL) == -1)
> > @@ -434,7 +440,10 @@ main(int argc, char *argv[])
> >                 if (Kflag && (privkey = tls_load_file(Kflag, &privkeylen, 
> > NULL)) == NULL)
> >                         errx(1, "unable to load TLS key file %s", Kflag);
> >
> > -               if (pledge("stdio inet dns", NULL) == -1)
> > +               if (Pflag) {
> > +                       if (pledge("stdio inet dns tty", NULL) == -1)
> > +                               err(1, "pledge");
> > +               } else if (pledge("stdio inet dns", NULL) == -1)
> >                         err(1, "pledge");
> >
> >                 if (tls_init() == -1)
> >
>

Reply via email to