summaryrefslogtreecommitdiff
path: root/bin
AgeCommit message (Collapse)Author
2015-10-25strvis directory names in psDmitrij Czarkoff
OK stsp@
2015-10-25need "getpw" pledge; spotted by matthieuTheo de Raadt
2015-10-25POSIX says that you can't capture the return value of sigsetjmp().Philip Guenther
Fortunately, we don't need it as we only pass siglongjmp() a single value. ok deraadt@
2015-10-23Remove three strange and unused preproc defines. Submitted by Ilyammcc
Kaliman. ok nicm@
2015-10-23With new pledge "ps" and "vminfo" requests, ps/top/w become possible.Theo de Raadt
2015-10-23Remove two comments listing functionless files. Trivial, no functionalmmcc
change.
2015-10-23proto.h contains many function prototypes. It's apparently separate frommmcc
sh.h because the pdksh devs used a prototype generator (last run in 1992). Merging it into sh.h makes things clearer. ok nicm@
2015-10-23correct precedence; from Ilya KalimanTheo de Raadt
2015-10-22document tid keyword.Sebastian Benoit
found with and ok bluhm@
2015-10-22Final removal of EXTERN.mmcc
ok nicm@
2015-10-22setlocale() before pledge()... until we learn moreTheo de Raadt
2015-10-22Fix typo in comment. From Theo Buehler.mmcc
2015-10-21Style fixes; from Ilya KalimanTodd C. Miller
2015-10-21Remove a couple of unhelpful defines.mmcc
ok nicm@
2015-10-21Don't bother casting NULL.mmcc
ok nicm@
2015-10-21Assign pointer to NULL rather than 0.mmcc
ok nicm@
2015-10-21Penultimate commit to remove EXTERN.mmcc
ok nicm@
2015-10-19Remove the define NOT, replace it with '!'. No binary change.mmcc
"The ^ is used in regular expressions and many versions of fnmatch(3) accept both ! and ^. However, we are never going to accept ^ instead of ! so I think this makes sense" -millert@ "go for it" -nicm@
2015-10-19A little style(9) for sh.h includesmmcc
ok nicm@
2015-10-19Move stddef.h include from sh.h to the file that uses it.mmcc
ok nicm@
2015-10-19Move string.h include from sh.h to the files that use it.mmcc
ok nicm@
2015-10-19Move limits.h include from sh.h to the files that actually need it. Nommcc
binary change. ok nicm@
2015-10-19More removal of EXTERN.mmcc
ok nicm@
2015-10-19Apply style(9) to header includes.mmcc
ok nicm@
2015-10-18Move more EXTERN-defined globals from sh.h.mmcc
ok nicm@
2015-10-18With TIOCSTI supported in pledge "tty proc", csh is good enough to runTheo de Raadt
with pledge "stdio rpath wpath cpath fattr getpw proc exec tty". (Note that ksh "emacs mode" is also a abus^Wconsumer of TIOCSTI, but we had let that slide for a week since noone uses it...)
2015-10-17add missing underscore; from theo buehlerJason McIntyre
2015-10-17Drop two useless defines.mmcc
ok nicm@
2015-10-17Move a system header include from the global header (sh.h) into themmcc
files that need it. No binary change. "This looks fine" -nicm@
2015-10-17Change allocarray() to areallocarray(), a full reallocarray clone. Allmmcc
the logic is already in aresize(). "Sure" nicm@
2015-10-17Copy alloc()'s overflow check to aresize().mmcc
Suggested by nicm@.
2015-10-16Change x_do_ins()'s arg type from int to size_t for correctness's sake,mmcc
and to silence a compiler warning. Also remove its prototype, which is directly above its definition. ok tedu@
2015-10-16Move the overflow check to alloc() so that the link struct overhead canmmcc
never bite us. Suggested by Theo Buehler, inspired by Bitrig's natano@. ok tedu@
2015-10-16Cast iscntrl()'s arg to unsigned char.mmcc
ok nicm@
2015-10-16wrap a long lineTheo de Raadt
2015-10-16Implement real "flock" request and add it to userland programs thatTodd C. Miller
use pledge and file locking. OK deraadt@
2015-10-16Add allocarray(), an overflow-safe allocation function.mmcc
We avoided reallocation support because it demands more fancy footwork to deal with the prepended link struct. This has been on my mind for a while, and a 2010 security review of mksh by the Android security team's Chris Palmer suggested it. ok nicm@. Also discussed with millert@ and tedu@.
2015-10-15Remove three distracting aliases for NULL.mmcc
ok nicm@
2015-10-15Remove an unused included header (sys/stat.h).mmcc
2015-10-15Introduce an unsigned char variable for the ctype function calls.mmcc
ok millert@
2015-10-14Use a strict $PATH of "/usr/bin:/usr/local/bin" to run the (de)compressorsTheo de Raadt
(gzip, compress, bzip2) rather than following the user's path. This seems easier than hardcoding the paths elsewhere and using basename(). pax/tar is pledged itself, but it can spawn one of these programs if asked. The three found at the strict path use pledge "stdio" very early during startup, providing a warm fuzzy pledge->exec->no-pledge->pledge interlock. For bzip2, this assumes use of the ports/packages version installed to /usr/local/bin, which has been pledged by sthen@. Doing a 'tar tvfz hostile.tgz' becomes a bit safer, since an attacker finding a buffer overflow or use after free has significantly fewer system calls available (only pledge "stdio" in the decompressor). ok millert sthen
2015-10-13revert previous. changes the behaviour of:Daniel Dickman
rm -f ""
2015-10-12reenable pledge(2) on pax, but only if pmode isn't in use or if actionSebastien Marie
shouldn't do things with filesystem. ok deraadt@ millert@
2015-10-12indent the builtin text a little, for naddy;Jason McIntyre
2015-10-12Revert the pledge() call on pax/ar_io.c for now.Sebastien Marie
A pledged program is not allowed to change user/group for others. "I think that makes the most sense" @sthen
2015-10-12preservation modes can adjust setugid bits, so no pledge is possible.Theo de Raadt
Otherwise, lay the groundwork for whether a gzip program may be run or not. After such a gzip program is started, pledge the program will not exec again. Took a few iterations to get this going... it is looking good. with guenther.
2015-10-11Don't return errno from main()Philip Guenther
ok beck@ doug@ deraadt@ tedu@
2015-10-11pledge "stdio tty" works once the kernel allows TIOCGWINSZ. Do the pledgeTheo de Raadt
after TIOCGETD, which the kernel is unlikely to support (does not feel like a good idea for a program to switch line disc, and therefor not worth allowing the program to ask either)
2015-10-11Don't allow "rm -rf /"Daniel Dickman
Patch from Theo Buehler who was inspired by watching Bryan Cantrill in BSD Now 103. Minor tweak from me to turn the complained variables into flags instead of counters. "i think it's ok" tedu@ "this isn't 1980 anymore" deraadt@ ok millert@
2015-10-10Pledge that ln only needs "stdio rpath cpath".Doug Hogan
ok deraadt@