readpassphrase: Add readpassphraseat() function
Needs ReviewPublic
Actions

Authored by jfree on Mar 19 2023, 4:36 AM.

Details

Reviewers

Summary

Programs in Capsicum(4) capability mode are unable to open /dev/tty
causing a capability violation in readpassphrase(). Mitigate this issue
by adding readpassphraseat().

The readpassphraseat() function call takes an extra argument, ttyfd.
A pre-opened /dev/tty file descriptor may be passed in ttyfd to avoid
capability violations.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

jfree created this revision.Mar 19 2023, 4:36 AM

Herald added subscribers: jonathan, imp. · View Herald TranscriptMar 19 2023, 4:36 AM

jfree requested review of this revision.Mar 19 2023, 4:36 AM

jfree added a child revision: D39009: unzip: Capsicumize it.

markj added inline comments.Mar 21 2023, 4:41 PM

lib/libc/gen/readpassphrase.3
106
lib/libc/gen/readpassphrase.c
64	Would it be cleaner to fall back to STDIO if a sentinel value of AT_FDCWD (or some other name for -1) is passed instead?
213	This is a bit delicate. It's possible that STDIN_FILENO is not a valid file descriptor (because it was closed by the caller for some reason), and that the above `_open()` call returned STDIN_FILENO. In that case, we won't close the fd here. I think it'd be better to be more explicit and use a flag variable to indicate whether we opened ttyfd or not.
214	This _close() call can clobber `errno`, I believe, so you'll want to save it across that call. There is some similar code already which does this using `save_errno`.

Use AT_STDIN instead of STDIN_FILENO to force read from stdin in readpassphraseat().

jfree added inline comments.Mar 30 2023, 11:23 PM

lib/libc/gen/readpassphrase.c
80	If the user passes `STDIN_FILENO`, `STDOUT_FILENO`, or `STDERR_FILENO` as `ttyfd`, this will return 0 and redirect input and output to `ttyfd`. To avoid this, I set the `RPP_STDIN` bit in `flags` above. I'm not sure if that is the best way to do this.