On Wed, May 18, 2022 at 12:51:15PM -0600, Theo de Raadt wrote: > Based upon the discussion of xterm a couple of days ago, I have been > working on a couple changes to reduce the privs of xterm in general, > by reducing the scope of the utmp egid by opening utmp early, improving > the unveil calls to match, and then tightening the pledge. > > Additionally, some file-related functions not used by our xterm because > of feature disabling, are become hidden behind #ifdef, and I update the > manual page. > > It's a jumbo diff, for testing in snaps, to see if there is any fallout. > I tried to tighten a bunch of other really ugly things I found (nested > select and poll calls, oh boy, with short-cut exit paths to workaround > the introduced problems). But, for now, this is how far I think we can > go in first few steps. > > As I said, this is in snaps.
Hi, Ok for the source changes. The balance between restricting functionalities and pushing users toward using even less secure applications from ports seems reasonable to me here. For the man page, I'd prefer if we add information on the disabled features in the 'OPENBSD SPECIFICS' section at the end for consistency with how other changes are documented, like below. Index: xterm.man =================================================================== RCS file: /cvs/OpenBSD/xenocara/app/xterm/xterm.man,v retrieving revision 1.57 diff -u -p -u -r1.57 xterm.man --- xterm.man 25 Apr 2022 19:20:38 -0000 1.57 +++ xterm.man 22 May 2022 09:08:37 -0000 @@ -8977,3 +8977,7 @@ entry for xterm defines the capability as \fB^?\fP. .PP The u\*n and koi8r\*n shell scripts are not provided by OpenBSD. +.PP +The following functions are disabled on OpenBSD: +\fBexec\-formatted()\fP, \fBexec\-selectable()\fP and +\fBspawn\-new\-terminal()\fP. -- Matthieu Herrb