On Sat, Dec 02, 2017 at 08:17:15PM +0100, Jan Klemkow wrote: > On Fri, Dec 01, 2017 at 04:17:42PM -0700, Theo de Raadt wrote: > > So two comments: Calling this thing by the right name (escape), > > would allow you to search other programs which have similar functions, > > see if someone did it before, and match the behaviour / option. > > Yes, the term "kiosk mode" is not that common in unix environments. > So, I changed it to "restricted mode" as it is used in ksh(1).
Sorry for the noise. I forget to change the warning messages. I also changed the variable r_flag to "restricted" as it is used in the source of ksh(1), too. This version should be fine: Index: command.c =================================================================== RCS file: /cvs/src/usr.bin/cu/command.c,v retrieving revision 1.15 diff -u -p -r1.15 command.c --- command.c 5 Oct 2015 23:15:31 -0000 1.15 +++ command.c 2 Dec 2017 19:30:52 -0000 @@ -233,6 +233,10 @@ do_command(char c) set_termios(); break; case 'C': + if (restricted) { + cu_warnx("~C command is not allowed in restricted mode"); + break; + } connect_command(); break; case 'D': @@ -241,18 +245,34 @@ do_command(char c) ioctl(line_fd, TIOCSDTR, NULL); break; case 'R': + if (restricted) { + cu_warnx("~R command is not allowed in restricted mode"); + break; + } start_record(); break; case 'S': set_speed(); break; case 'X': + if (restricted) { + cu_warnx("~X command is not allowed in restricted mode"); + break; + } send_xmodem(); break; case '$': + if (restricted) { + cu_warnx("~$ command is not allowed in restricted mode"); + break; + } pipe_command(); break; case '>': + if (restricted) { + cu_warnx("~> command is not allowed in restricted mode"); + break; + } send_file(); break; case '#': Index: cu.1 =================================================================== RCS file: /cvs/src/usr.bin/cu/cu.1,v retrieving revision 1.15 diff -u -p -r1.15 cu.1 --- cu.1 18 May 2015 09:35:05 -0000 1.15 +++ cu.1 2 Dec 2017 18:06:25 -0000 @@ -35,7 +35,7 @@ .Nd serial terminal emulator .Sh SYNOPSIS .Nm -.Op Fl d +.Op Fl dr .Op Fl l Ar line .Op Fl s Ar speed | Fl Ar speed .Nm @@ -55,6 +55,11 @@ The options are as follows: Specify that the line is directly connected and .Nm should not allow the driver to block waiting for a carrier to be detected. +.It Fl r +Starts +.Nm +in restricted mode. +This prevents all local filesystem operations and command executions. .It Fl l Ar line Specify the line to use. Either of the forms like @@ -114,6 +119,7 @@ process to the remote host. The command string sent to the local .Ux system is processed by the shell. +This command is not allowed in restricted mode. .It Ic ~# Send a .Dv BREAK @@ -132,16 +138,21 @@ file descriptors: 1 \*(Lt-\*(Gt remote tty out 2 \*(Lt-\*(Gt local tty stderr .Ed +.Pp +This command is not allowed in restricted mode. .It Ic ~D Deassert the data terminal ready (DTR) line briefly. +This command is not allowed in restricted mode. .It Ic ~R Record all output from the remote system to a file. If the given file already exists, it is appended to. If no file is specified, any existing recording is stopped. +This command is not allowed in restricted mode. .It Ic ~S Change the speed of the connection. .It Ic ~X Send a file with the XMODEM protocol. +This command is not allowed in restricted mode. .It Ic ~? Get a summary of the tilde escapes. .El Index: cu.c =================================================================== RCS file: /cvs/src/usr.bin/cu/cu.c,v retrieving revision 1.25 diff -u -p -r1.25 cu.c --- cu.c 22 Aug 2017 16:32:37 -0000 1.25 +++ cu.c 2 Dec 2017 19:28:52 -0000 @@ -42,6 +42,7 @@ struct termios saved_tio; struct bufferevent *input_ev; struct bufferevent *output_ev; int is_direct = -1; +int restricted = 0; const char *line_path = NULL; int line_speed = -1; int line_fd; @@ -66,7 +67,7 @@ void try_remote(const char *, const cha __dead void usage(void) { - fprintf(stderr, "usage: %s [-d] [-l line] [-s speed | -speed]\n", + fprintf(stderr, "usage: %s [-dk] [-l line] [-s speed | -speed]\n", __progname); fprintf(stderr, " %s [host]\n", __progname); exit(1); @@ -100,11 +101,16 @@ main(int argc, char **argv) errx(1, "speed asprintf"); } - while ((opt = getopt(argc, argv, "dl:s:")) != -1) { + while ((opt = getopt(argc, argv, "drl:s:")) != -1) { switch (opt) { case 'd': is_direct = 1; break; + case 'r': + if (pledge("stdio rpath wpath tty", NULL) == -1) + err(1, "pledge"); + restricted = 1; + break; case 'l': line_path = optarg; break; @@ -162,6 +168,8 @@ main(int argc, char **argv) line_fd = open(line_path, flags); if (line_fd < 0) err(1, "open(\"%s\")", line_path); + if (restricted && pledge("stdio tty", NULL) == -1) + err(1, "pledge"); if (!isatty(line_fd)) err(1, "%s", line_path); if (ioctl(line_fd, TIOCEXCL) != 0) Index: cu.h =================================================================== RCS file: /cvs/src/usr.bin/cu/cu.h,v retrieving revision 1.7 diff -u -p -r1.7 cu.h --- cu.h 5 Oct 2015 23:15:31 -0000 1.7 +++ cu.h 2 Dec 2017 19:27:26 -0000 @@ -23,6 +23,7 @@ void do_command(char); /* cu.c */ +extern int restricted; extern FILE *record_file; extern struct termios saved_tio; extern int line_fd;