Hi,
login_chpass(8) only needs access to exec login_lchpass(8), so the below
unveils it accordingly.
Comments? OK?
Index: login_chpass.c
===================================================================
RCS file: /cvs/src/libexec/login_chpass/login_chpass.c,v
retrieving revision 1.21
diff -u -p -u -r1.21 login_chpass.c
--- login_chpass.c 26 Apr 2018 12:42:51 -0000 1.21
+++ login_chpass.c 18 Jun 2020 20:53:52 -0000
@@ -60,6 +60,8 @@ main(int argc, char *argv[])
(void)setpriority(PRIO_PROCESS, 0, 0);
+ if (unveil(_PATH_LOGIN_LCHPASS, "x") == -1)
+ err(1, "unveil");
if (pledge("stdio exec", NULL) == -1)
err(1, "pledge");
