Hi Theo,
I think chmod fits in the "cannot be tamed" category. tame(2) says of
chmod(2) and friends:
Setuid/setgid bits do not work, nor can the user or group be
changed on a file.
This breaks 'chmod u+s'. It might be possible to tame only if it looks
like a mode is being set which is allowed, but I think the complexity
would outweight the gain, looking at the way chmod handles modes. I'd be
happy to try writing a diff if you think it's a sound idea, though.
chown is in the same boat as chmod. chflags should be fine, but doesn't
need TAME_WPATH, as far as I can tell.
head requires the ability to call open(2) (via fopen(3)) when given a
filename argument, which is always restricted to specific paths with
tame. It also doesn't seem to actually use the privileges granted by
TAME_FATTR.
Revised diff for chmod and head follows.
Index: bin/chmod/chmod.c
===================================================================
RCS file: /cvs/src/bin/chmod/chmod.c,v
retrieving revision 1.34
diff -u -p -r1.34 chmod.c
--- bin/chmod/chmod.c 25 Jun 2015 02:04:08 -0000 1.34
+++ bin/chmod/chmod.c 29 Aug 2015 09:48:14 -0000
@@ -32,6 +32,7 @@
#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/tame.h>
#include <err.h>
#include <errno.h>
@@ -153,6 +154,8 @@ done:
atflags = 0;
if (ischflags) {
+ tame(TAME_STDIO | TAME_RPATH | TAME_FATTR, NULL);
+
flags = *argv;
if (*flags >= '0' && *flags <= '7') {
errno = 0;
Index: usr.bin/head/head.c
===================================================================
RCS file: /cvs/src/usr.bin/head/head.c,v
retrieving revision 1.18
diff -u -p -r1.18 head.c
--- usr.bin/head/head.c 8 Oct 2014 08:31:53 -0000 1.18
+++ usr.bin/head/head.c 29 Aug 2015 09:48:14 -0000
@@ -29,6 +29,8 @@
* SUCH DAMAGE.
*/
+#include <sys/tame.h>
+
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
@@ -87,6 +89,7 @@ main(int argc, char *argv[])
if (!firsttime)
exit(status);
fp = stdin;
+ tame(TAME_STDIO, NULL);
} else {
if ((fp = fopen(*argv, "r")) == NULL) {
warn("%s", *argv++);
