On Wed, Feb 03, 2016 at 08:24:57PM +0100, Frederic Cambus wrote: > On Fri, Jan 29, 2016 at 04:37:13AM +0100, Theo Buehler wrote: > > > > > is it possible to get rid of proc exec? I didn't add them on my end... > > > > there are shell escapes, so they are probably needed. I don't really > > use lynx myself, but it seems to me that it's worth investigating > > tighter pledges conditionally on various "lynx -restriction=..." > > options (hopefully those can't be changed at runtime). > > > > > Also should it call "err" or "exit_immediately" on failure? > > > > I agree that the latter looks like the right way to go. > > Here is a new diff for testing, with more restrictive promises. > > It builds on patches and suggestions provided off-list by tb@ and > daniel@. Thanks guys for all the feedback and ideas. > > The idea is to avoid using otherwise required 'getpw', 'proc', 'exec' > promises entirely. We achieve this by disabling a couple of features, > mostly removing obsolete stuff. While we are at it, we attempt to pave > the way to be able to remove even more promises in the future, and > reduce potential attack vectors. > > We disable them either at compile time : > > --disable-bibp-urls > --disable-dired > --disable-finger
That looks like a wise move to me :) If you can just add comments to patches explaining why you do the getenv(HOME) dance to avoid getpw in pledge for the next guy that stumbles upon it.. Landry
