Prevent patch(1) from scribbling all over the place.
(marc.info)
from tedu to openbsd on 25 Jul 2023 16:21
https://azorius.net/p/Y21Nw463m2Y7KnmLZP
from tedu to openbsd on 25 Jul 2023 16:21
https://azorius.net/p/Y21Nw463m2Y7KnmLZP
Arguably the only sensible use of patch(1) is changing files in the current working directory and subdirectories.
However, patch(1) has this anti-feature, or dare I say bug, where it will happily follow "../" upwards and outside of the current working directory to find files to change. All it takes is a line like+++ ../../../../home/florian/.ssh/authorized_keys
in the patchfile.
patch(1) operates on untrusted input and it already pledge(2)'ed to not execute arbitrary programs, but of course it needs to write files.
A simple unveil(".", "rwc") restricts patch(1) to its current working directory.
https://github.com/openbsd/src/commit/4d951e9375c9e68d1aed559bb61502fa0cca5b7a
threaded - newest