Age | Commit message (Collapse) | Author | |
---|---|---|---|
2015-10-25 | strvis directory names in ps | Dmitrij Czarkoff | |
OK stsp@ | |||
2015-10-25 | need "getpw" pledge; spotted by matthieu | Theo de Raadt | |
2015-10-25 | POSIX says that you can't capture the return value of sigsetjmp(). | Philip Guenther | |
Fortunately, we don't need it as we only pass siglongjmp() a single value. ok deraadt@ | |||
2015-10-23 | Remove three strange and unused preproc defines. Submitted by Ilya | mmcc | |
Kaliman. ok nicm@ | |||
2015-10-23 | With new pledge "ps" and "vminfo" requests, ps/top/w become possible. | Theo de Raadt | |
2015-10-23 | Remove two comments listing functionless files. Trivial, no functional | mmcc | |
change. | |||
2015-10-23 | proto.h contains many function prototypes. It's apparently separate from | mmcc | |
sh.h because the pdksh devs used a prototype generator (last run in 1992). Merging it into sh.h makes things clearer. ok nicm@ | |||
2015-10-23 | correct precedence; from Ilya Kaliman | Theo de Raadt | |
2015-10-22 | document tid keyword. | Sebastian Benoit | |
found with and ok bluhm@ | |||
2015-10-22 | Final removal of EXTERN. | mmcc | |
ok nicm@ | |||
2015-10-22 | setlocale() before pledge()... until we learn more | Theo de Raadt | |
2015-10-22 | Fix typo in comment. From Theo Buehler. | mmcc | |
2015-10-21 | Style fixes; from Ilya Kaliman | Todd C. Miller | |
2015-10-21 | Remove a couple of unhelpful defines. | mmcc | |
ok nicm@ | |||
2015-10-21 | Don't bother casting NULL. | mmcc | |
ok nicm@ | |||
2015-10-21 | Assign pointer to NULL rather than 0. | mmcc | |
ok nicm@ | |||
2015-10-21 | Penultimate commit to remove EXTERN. | mmcc | |
ok nicm@ | |||
2015-10-19 | Remove the define NOT, replace it with '!'. No binary change. | mmcc | |
"The ^ is used in regular expressions and many versions of fnmatch(3) accept both ! and ^. However, we are never going to accept ^ instead of ! so I think this makes sense" -millert@ "go for it" -nicm@ | |||
2015-10-19 | A little style(9) for sh.h includes | mmcc | |
ok nicm@ | |||
2015-10-19 | Move stddef.h include from sh.h to the file that uses it. | mmcc | |
ok nicm@ | |||
2015-10-19 | Move string.h include from sh.h to the files that use it. | mmcc | |
ok nicm@ | |||
2015-10-19 | Move limits.h include from sh.h to the files that actually need it. No | mmcc | |
binary change. ok nicm@ | |||
2015-10-19 | More removal of EXTERN. | mmcc | |
ok nicm@ | |||
2015-10-19 | Apply style(9) to header includes. | mmcc | |
ok nicm@ | |||
2015-10-18 | Move more EXTERN-defined globals from sh.h. | mmcc | |
ok nicm@ | |||
2015-10-18 | With TIOCSTI supported in pledge "tty proc", csh is good enough to run | Theo de Raadt | |
with pledge "stdio rpath wpath cpath fattr getpw proc exec tty". (Note that ksh "emacs mode" is also a abus^Wconsumer of TIOCSTI, but we had let that slide for a week since noone uses it...) | |||
2015-10-17 | add missing underscore; from theo buehler | Jason McIntyre | |
2015-10-17 | Drop two useless defines. | mmcc | |
ok nicm@ | |||
2015-10-17 | Move a system header include from the global header (sh.h) into the | mmcc | |
files that need it. No binary change. "This looks fine" -nicm@ | |||
2015-10-17 | Change allocarray() to areallocarray(), a full reallocarray clone. All | mmcc | |
the logic is already in aresize(). "Sure" nicm@ | |||
2015-10-17 | Copy alloc()'s overflow check to aresize(). | mmcc | |
Suggested by nicm@. | |||
2015-10-16 | Change x_do_ins()'s arg type from int to size_t for correctness's sake, | mmcc | |
and to silence a compiler warning. Also remove its prototype, which is directly above its definition. ok tedu@ | |||
2015-10-16 | Move the overflow check to alloc() so that the link struct overhead can | mmcc | |
never bite us. Suggested by Theo Buehler, inspired by Bitrig's natano@. ok tedu@ | |||
2015-10-16 | Cast iscntrl()'s arg to unsigned char. | mmcc | |
ok nicm@ | |||
2015-10-16 | wrap a long line | Theo de Raadt | |
2015-10-16 | Implement real "flock" request and add it to userland programs that | Todd C. Miller | |
use pledge and file locking. OK deraadt@ | |||
2015-10-16 | Add allocarray(), an overflow-safe allocation function. | mmcc | |
We avoided reallocation support because it demands more fancy footwork to deal with the prepended link struct. This has been on my mind for a while, and a 2010 security review of mksh by the Android security team's Chris Palmer suggested it. ok nicm@. Also discussed with millert@ and tedu@. | |||
2015-10-15 | Remove three distracting aliases for NULL. | mmcc | |
ok nicm@ | |||
2015-10-15 | Remove an unused included header (sys/stat.h). | mmcc | |
2015-10-15 | Introduce an unsigned char variable for the ctype function calls. | mmcc | |
ok millert@ | |||
2015-10-14 | Use a strict $PATH of "/usr/bin:/usr/local/bin" to run the (de)compressors | Theo de Raadt | |
(gzip, compress, bzip2) rather than following the user's path. This seems easier than hardcoding the paths elsewhere and using basename(). pax/tar is pledged itself, but it can spawn one of these programs if asked. The three found at the strict path use pledge "stdio" very early during startup, providing a warm fuzzy pledge->exec->no-pledge->pledge interlock. For bzip2, this assumes use of the ports/packages version installed to /usr/local/bin, which has been pledged by sthen@. Doing a 'tar tvfz hostile.tgz' becomes a bit safer, since an attacker finding a buffer overflow or use after free has significantly fewer system calls available (only pledge "stdio" in the decompressor). ok millert sthen | |||
2015-10-13 | revert previous. changes the behaviour of: | Daniel Dickman | |
rm -f "" | |||
2015-10-12 | reenable pledge(2) on pax, but only if pmode isn't in use or if action | Sebastien Marie | |
shouldn't do things with filesystem. ok deraadt@ millert@ | |||
2015-10-12 | indent the builtin text a little, for naddy; | Jason McIntyre | |
2015-10-12 | Revert the pledge() call on pax/ar_io.c for now. | Sebastien Marie | |
A pledged program is not allowed to change user/group for others. "I think that makes the most sense" @sthen | |||
2015-10-12 | preservation modes can adjust setugid bits, so no pledge is possible. | Theo de Raadt | |
Otherwise, lay the groundwork for whether a gzip program may be run or not. After such a gzip program is started, pledge the program will not exec again. Took a few iterations to get this going... it is looking good. with guenther. | |||
2015-10-11 | Don't return errno from main() | Philip Guenther | |
ok beck@ doug@ deraadt@ tedu@ | |||
2015-10-11 | pledge "stdio tty" works once the kernel allows TIOCGWINSZ. Do the pledge | Theo de Raadt | |
after TIOCGETD, which the kernel is unlikely to support (does not feel like a good idea for a program to switch line disc, and therefor not worth allowing the program to ask either) | |||
2015-10-11 | Don't allow "rm -rf /" | Daniel Dickman | |
Patch from Theo Buehler who was inspired by watching Bryan Cantrill in BSD Now 103. Minor tweak from me to turn the complained variables into flags instead of counters. "i think it's ok" tedu@ "this isn't 1980 anymore" deraadt@ ok millert@ | |||
2015-10-10 | Pledge that ln only needs "stdio rpath cpath". | Doug Hogan | |
ok deraadt@ |