Michael Hendricks wrote: > I would like to have pledge on the command line so I can restrict an ad-hoc > process during execution. For example: > > $ pledge "stdio" sed -e "s/foo/bar/g" <input.txt >output.txt > > I can't modify sed, for example, because I don't always want it pledged > that tightly. Since execve removes pledges, I can't see a way to write > this pledge utility myself. Is it possible? Is there a better way to > impose these kinds of ad-hoc restrictions on a utility?
sed can (should?) reduce the set of permissions after it determines that input and output are streams. in fact, it can do so after opening any required files.
