Roland Mainz wrote:
> Is there a way in ksh93 to switch to "restricted" (=rksh) mode during
> runtime of the shell ?
> The idea is to switch to "restricted" within a suub-shell when
> processing some user input...
>
> I tried "set -o restricted" to switch to "restricted" mode but that
> fails like this:
> -- snip --
> % ksh -c 'true ; (set -o restricted ; echo "foo" ; exec >/blabla) ;
> true'
> ksh[1]: set: restricted: bad option(s)
> Usage: set [-sabefhkmnptuvxBCGH] [-A name] [-o[option]] [arg ...]
> -- snip --
>
> Is there any other way ?
It seems there is no way...
... attached is a small patch
("ksh93_libshell_set_restricted_mode_once_001.diff.txt") for libshell
which gets this working. The patch allows someone to turn on the
"restricted" mode in a one-way fashion, e.g. it is not possible to
disable it anymore (which could be a security hole) once it was enabled.
Test output then looks like this:
-- snip --
% ./ksh -c 'set -x ; echo "start" ; cd . ; (echo "mark 1" ; set -o
restricted ; cd .) ; echo "mark2" ; (set -o restricted ; echo "mark4" ;
set -o restricted=0) ; echo "mark5"')
+ echo start
start
+ cd .
+ echo 'mark 1'
mark 1
+ set -o restricted
+ cd .
../../cmd/ksh/i386/ksh[1]: cd: restricted
+ echo mark2
mark2
+ set -o restricted
+ echo mark4
mark4
../../cmd/ksh/i386/ksh[1]: set: restricted=0: bad option(s)
Usage: set [-sabefhkmnptuvxBCGH] [-A name] [-o[option]] [arg ...]
+ echo mark5
mark5
-- snip --
David/Glenn:
Is there still time to get this functionality into ksh93r+ ? It may be
very usefull for the |wordexp()| work on Solaris and some other stuff,
too...
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
-------------- next part --------------
Index: common/include/defs.h
===================================================================
--- common/include/defs.h (revision 269)
+++ common/include/defs.h (working copy)
@@ -229,6 +229,7 @@
#define SH_COMMANDLINE 0x100
#define SH_BASHEXTRA 0x200
#define SH_BASHOPT 0x400
+#define SH_SETONONLY 0x800 /* disallow setting the flag to "off" */
#if SHOPT_BASH
# ifndef SHOPT_HISTEXPAND
Index: common/data/options.c
===================================================================
--- common/data/options.c (revision 269)
+++ common/data/options.c (working copy)
@@ -98,7 +98,7 @@
bashopt("progcomp", SH_PROGCOMP)
bashopt("promptvars", SH_PROMPTVARS)
"rc", SH_RC|SH_COMMANDLINE,
- "restricted", SH_RESTRICTED|SH_COMMANDLINE,
+ "restricted", SH_RESTRICTED|SH_SETONONLY,
bashopt("restricted_shell", SH_RESTRICTED2|SH_COMMANDLINE)
bashopt("shift_verbose", SH_SHIFT_VERBOSE)
bashopt("sourcepath", SH_SOURCEPATH)
Index: common/sh/args.c
===================================================================
--- common/sh/args.c (revision 269)
+++ common/sh/args.c (working copy)
@@ -189,7 +189,8 @@
if(o<=0
|| (!sh_isoption(SH_BASH) && (o&SH_BASHEXTRA))
|| ((!sh_isoption(SH_BASH) || n=='o') &&
(o&SH_BASHOPT))
- || (setflag && (o&SH_COMMANDLINE)))
+ || (setflag && (o&SH_COMMANDLINE))
+ || (setflag && (f == 0) && (o&SH_SETONONLY)))
{
errormsg(SH_DICT,2, e_option, opt_info.arg);
error_info.errors++;
