Hello Jesper, On 5/20/19 10:58 PM, Jesper Wallin wrote: > Hi all, > > When ex/vi is started with -S (secure), a stricter pledge is used to > prevent exec from being used. It's tedious to specify -S all the time > and easier to add "set secure" to ~/.nexrc. However, the check for > which pledge to use doesn't care what your ~/.nexrc contains and the > exec promise remains.
The behaviour should be identical, the only difference would be that pledge catches programming errors. So I see no particular reason to use -S over "set secure" for normal users; even without pledge. > > This patch simply wait until the ~/.nexrc is parsed and all options are > set before checking whether or not to apply the stricter pledge. > > Another approach would be to also have a check inside the opts_set() > unction, in case the user manually runs "set secure", but that feels > ugly and "too deep". > If we want to make sure that that secure is always honoured with a pledge I reckon we should push it down to opts_set. I choose not to fail hard on pledge, since that could loose peoples work, which is most definitely not what we want. While here fix a lie that secure has an off parameter and inform the user that it can't be turned off again. OK? martijn@ > > Jesper Wallin > Index: common/options.c =================================================================== RCS file: /cvs/src/usr.bin/vi/common/options.c,v retrieving revision 1.26 diff -u -p -r1.26 options.c --- common/options.c 31 Jul 2017 19:45:49 -0000 1.26 +++ common/options.c 21 May 2019 05:32:29 -0000 @@ -136,7 +136,7 @@ OPTLIST const optlist[] = { /* O_SECTIONS 4BSD */ {"sections", f_section, OPT_STR, 0}, /* O_SECURE 4.4BSD */ - {"secure", NULL, OPT_0BOOL, OPT_NOUNSET}, + {"secure", f_secure, OPT_0BOOL, OPT_NOUNSET}, /* O_SHELL 4BSD */ {"shell", NULL, OPT_STR, 0}, /* O_SHELLMETA 4.4BSD */ Index: common/options_f.c =================================================================== RCS file: /cvs/src/usr.bin/vi/common/options_f.c,v retrieving revision 1.12 diff -u -p -r1.12 options_f.c --- common/options_f.c 3 Jul 2017 07:01:14 -0000 1.12 +++ common/options_f.c 21 May 2019 05:32:30 -0000 @@ -207,6 +207,19 @@ f_section(SCR *sp, OPTION *op, char *str } /* + * PUBLIC: int f_secure(SCR *, OPTION *, char *, u_long *) + */ +int +f_secure(SCR *sp, OPTION *op, char *str, u_long *valp) +{ + if (pledge("stdio rpath wpath cpath fattr flock getpw tty", NULL) == -1) { + msgq(sp, M_ERR, "pledge failed"); + return (1); + } + return (0); +} + +/* * PUBLIC: int f_ttywerase(SCR *, OPTION *, char *, u_long *); */ int Index: docs/USD.doc/vi.man/vi.1 =================================================================== RCS file: /cvs/src/usr.bin/vi/docs/USD.doc/vi.man/vi.1,v retrieving revision 1.75 diff -u -p -r1.75 vi.1 --- docs/USD.doc/vi.man/vi.1 12 Feb 2018 01:10:46 -0000 1.75 +++ docs/USD.doc/vi.man/vi.1 21 May 2019 05:32:30 -0000 @@ -2456,8 +2456,9 @@ Define additional section boundaries for and .Cm ]] commands. -.It Cm secure Bq off +.It Cm secure Turns off all access to external programs. +Once set this option can't be disabled. .It Cm shell , sh Bq "environment variable SHELL, or /bin/sh" Select the shell used by the editor. .It Cm shellmeta Bq ~{[*?$`'\&"\e Index: include/com_extern.h =================================================================== RCS file: /cvs/src/usr.bin/vi/include/com_extern.h,v retrieving revision 1.15 diff -u -p -r1.15 com_extern.h --- include/com_extern.h 3 Jul 2017 07:01:14 -0000 1.15 +++ include/com_extern.h 21 May 2019 05:32:30 -0000 @@ -75,6 +75,7 @@ int f_readonly(SCR *, OPTION *, char *, int f_recompile(SCR *, OPTION *, char *, u_long *); int f_reformat(SCR *, OPTION *, char *, u_long *); int f_section(SCR *, OPTION *, char *, u_long *); +int f_secure(SCR *, OPTION *, char *, u_long *); int f_ttywerase(SCR *, OPTION *, char *, u_long *); int f_w300(SCR *, OPTION *, char *, u_long *); int f_w1200(SCR *, OPTION *, char *, u_long *);