Hi Theo, I think chmod fits in the "cannot be tamed" category. tame(2) says of chmod(2) and friends:
Setuid/setgid bits do not work, nor can the user or group be changed on a file. This breaks 'chmod u+s'. It might be possible to tame only if it looks like a mode is being set which is allowed, but I think the complexity would outweight the gain, looking at the way chmod handles modes. I'd be happy to try writing a diff if you think it's a sound idea, though. chown is in the same boat as chmod. chflags should be fine, but doesn't need TAME_WPATH, as far as I can tell. head requires the ability to call open(2) (via fopen(3)) when given a filename argument, which is always restricted to specific paths with tame. It also doesn't seem to actually use the privileges granted by TAME_FATTR. Revised diff for chmod and head follows. Index: bin/chmod/chmod.c =================================================================== RCS file: /cvs/src/bin/chmod/chmod.c,v retrieving revision 1.34 diff -u -p -r1.34 chmod.c --- bin/chmod/chmod.c 25 Jun 2015 02:04:08 -0000 1.34 +++ bin/chmod/chmod.c 29 Aug 2015 09:48:14 -0000 @@ -32,6 +32,7 @@ #include <sys/types.h> #include <sys/stat.h> +#include <sys/tame.h> #include <err.h> #include <errno.h> @@ -153,6 +154,8 @@ done: atflags = 0; if (ischflags) { + tame(TAME_STDIO | TAME_RPATH | TAME_FATTR, NULL); + flags = *argv; if (*flags >= '0' && *flags <= '7') { errno = 0; Index: usr.bin/head/head.c =================================================================== RCS file: /cvs/src/usr.bin/head/head.c,v retrieving revision 1.18 diff -u -p -r1.18 head.c --- usr.bin/head/head.c 8 Oct 2014 08:31:53 -0000 1.18 +++ usr.bin/head/head.c 29 Aug 2015 09:48:14 -0000 @@ -29,6 +29,8 @@ * SUCH DAMAGE. */ +#include <sys/tame.h> + #include <stdio.h> #include <stdlib.h> #include <ctype.h> @@ -87,6 +89,7 @@ main(int argc, char *argv[]) if (!firsttime) exit(status); fp = stdin; + tame(TAME_STDIO, NULL); } else { if ((fp = fopen(*argv, "r")) == NULL) { warn("%s", *argv++);