Pledge for Vi and Ex

Wed, 11 Nov 2015 07:18:56 -0800 

Hi people,

inspired by someone on Hackernews talking about how hard it would be to
properly pledge an editor, here's a patch to pledge Vi and Ex.

I'd like to go a bit deeper than this patch though: In addition to the
-S option which enables "secure mode", Vi and Ex have a -R switch, which
enables read-only mode. Currently, read-only mode can be overridden with
the `:w!` command or with `:set noro`, so it's more of a "set the
initial mode to be read-only" switch.

I'd like to make this switch a permanent "never ever write a file that's
not in /tmp or /var/tmp"-mode.  Would a patch that does this get
accepted?

Related:

- pledge("tmppath") currently allows writing and what not to
  files in /tmp. Would it make sense to expand this to /var/tmp? On
  normal OpenBSD systems, these are the same directory anyway and Vi for
  example stores its recovery files in /var/tmp.
- If you pledge("tmppath"), you can only open(2) files in /tmp if you
  supply the O_CREAT flag. Is this intentional? Opening existing files
  (even reopening files I've just created with O_CREAT) without the
  O_CREAT flag for writing requires pledge("wpath"), which I'd like to
  avoid for the hypothetical "Don't write anywhere" mode.
  Would a patch removing this restriction be accepted?

-- 
        Gregor

Index: common/main.c
===================================================================
RCS file: /mnt/media/cvs/src/usr.bin/vi/common/main.c,v
retrieving revision 1.26
diff -u -p -u -r1.26 main.c
--- common/main.c       20 Nov 2014 08:50:53 -0000      1.26
+++ common/main.c       11 Nov 2015 13:01:34 -0000
@@ -17,6 +17,7 @@
 #include <sys/time.h>
 
 #include <bitstring.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
@@ -229,6 +230,14 @@ editor(GS *gp, int argc, char *argv[])
        }
        if (LF_ISSET(SC_EX) && F_ISSET(gp, G_SCRIPTED))
                silent = 1;
+
+       if (secure) {
+               if (pledge("stdio rpath wpath cpath fattr flock tty", NULL))
+                       err(1, "pledge");
+       } else {
+               if (pledge("stdio rpath wpath cpath fattr flock tty proc exec", 
NULL))
+                       err(1, "pledge");
+       }
 
        /*
         * Build and initialize the first/current screen.  This is a bit

Reply via email to