Hello Jesper,
On 5/20/19 10:58 PM, Jesper Wallin wrote:
> Hi all,
>
> When ex/vi is started with -S (secure), a stricter pledge is used to
> prevent exec from being used. It's tedious to specify -S all the time
> and easier to add "set secure" to ~/.nexrc. However, the check for
> which pledge to use doesn't care what your ~/.nexrc contains and the
> exec promise remains.
The behaviour should be identical, the only difference would be that
pledge catches programming errors. So I see no particular reason to use
-S over "set secure" for normal users; even without pledge.
>
> This patch simply wait until the ~/.nexrc is parsed and all options are
> set before checking whether or not to apply the stricter pledge.
>
> Another approach would be to also have a check inside the opts_set()
> unction, in case the user manually runs "set secure", but that feels
> ugly and "too deep".
>
If we want to make sure that that secure is always honoured with a
pledge I reckon we should push it down to opts_set.
I choose not to fail hard on pledge, since that could loose peoples
work, which is most definitely not what we want. While here fix a
lie that secure has an off parameter and inform the user that it can't
be turned off again.
OK?
martijn@
>
> Jesper Wallin
>
Index: common/options.c
===================================================================
RCS file: /cvs/src/usr.bin/vi/common/options.c,v
retrieving revision 1.26
diff -u -p -r1.26 options.c
--- common/options.c 31 Jul 2017 19:45:49 -0000 1.26
+++ common/options.c 21 May 2019 05:32:29 -0000
@@ -136,7 +136,7 @@ OPTLIST const optlist[] = {
/* O_SECTIONS 4BSD */
{"sections", f_section, OPT_STR, 0},
/* O_SECURE 4.4BSD */
- {"secure", NULL, OPT_0BOOL, OPT_NOUNSET},
+ {"secure", f_secure, OPT_0BOOL, OPT_NOUNSET},
/* O_SHELL 4BSD */
{"shell", NULL, OPT_STR, 0},
/* O_SHELLMETA 4.4BSD */
Index: common/options_f.c
===================================================================
RCS file: /cvs/src/usr.bin/vi/common/options_f.c,v
retrieving revision 1.12
diff -u -p -r1.12 options_f.c
--- common/options_f.c 3 Jul 2017 07:01:14 -0000 1.12
+++ common/options_f.c 21 May 2019 05:32:30 -0000
@@ -207,6 +207,19 @@ f_section(SCR *sp, OPTION *op, char *str
}
/*
+ * PUBLIC: int f_secure(SCR *, OPTION *, char *, u_long *)
+ */
+int
+f_secure(SCR *sp, OPTION *op, char *str, u_long *valp)
+{
+ if (pledge("stdio rpath wpath cpath fattr flock getpw tty", NULL) ==
-1) {
+ msgq(sp, M_ERR, "pledge failed");
+ return (1);
+ }
+ return (0);
+}
+
+/*
* PUBLIC: int f_ttywerase(SCR *, OPTION *, char *, u_long *);
*/
int
Index: docs/USD.doc/vi.man/vi.1
===================================================================
RCS file: /cvs/src/usr.bin/vi/docs/USD.doc/vi.man/vi.1,v
retrieving revision 1.75
diff -u -p -r1.75 vi.1
--- docs/USD.doc/vi.man/vi.1 12 Feb 2018 01:10:46 -0000 1.75
+++ docs/USD.doc/vi.man/vi.1 21 May 2019 05:32:30 -0000
@@ -2456,8 +2456,9 @@ Define additional section boundaries for
and
.Cm ]]
commands.
-.It Cm secure Bq off
+.It Cm secure
Turns off all access to external programs.
+Once set this option can't be disabled.
.It Cm shell , sh Bq "environment variable SHELL, or /bin/sh"
Select the shell used by the editor.
.It Cm shellmeta Bq ~{[*?$`'\&"\e
Index: include/com_extern.h
===================================================================
RCS file: /cvs/src/usr.bin/vi/include/com_extern.h,v
retrieving revision 1.15
diff -u -p -r1.15 com_extern.h
--- include/com_extern.h 3 Jul 2017 07:01:14 -0000 1.15
+++ include/com_extern.h 21 May 2019 05:32:30 -0000
@@ -75,6 +75,7 @@ int f_readonly(SCR *, OPTION *, char *,
int f_recompile(SCR *, OPTION *, char *, u_long *);
int f_reformat(SCR *, OPTION *, char *, u_long *);
int f_section(SCR *, OPTION *, char *, u_long *);
+int f_secure(SCR *, OPTION *, char *, u_long *);
int f_ttywerase(SCR *, OPTION *, char *, u_long *);
int f_w300(SCR *, OPTION *, char *, u_long *);
int f_w1200(SCR *, OPTION *, char *, u_long *);
