On Sat, Dec 02, 2017 at 08:17:15PM +0100, Jan Klemkow wrote:
> On Fri, Dec 01, 2017 at 04:17:42PM -0700, Theo de Raadt wrote:
> > So two comments: Calling this thing by the right name (escape),
> > would allow you to search other programs which have similar functions,
> > see if someone did it before, and match the behaviour / option.
>
> Yes, the term "kiosk mode" is not that common in unix environments.
> So, I changed it to "restricted mode" as it is used in ksh(1).
Sorry for the noise. I forget to change the warning messages. I also
changed the variable r_flag to "restricted" as it is used in the source
of ksh(1), too.
This version should be fine:
Index: command.c
===================================================================
RCS file: /cvs/src/usr.bin/cu/command.c,v
retrieving revision 1.15
diff -u -p -r1.15 command.c
--- command.c 5 Oct 2015 23:15:31 -0000 1.15
+++ command.c 2 Dec 2017 19:30:52 -0000
@@ -233,6 +233,10 @@ do_command(char c)
set_termios();
break;
case 'C':
+ if (restricted) {
+ cu_warnx("~C command is not allowed in restricted
mode");
+ break;
+ }
connect_command();
break;
case 'D':
@@ -241,18 +245,34 @@ do_command(char c)
ioctl(line_fd, TIOCSDTR, NULL);
break;
case 'R':
+ if (restricted) {
+ cu_warnx("~R command is not allowed in restricted
mode");
+ break;
+ }
start_record();
break;
case 'S':
set_speed();
break;
case 'X':
+ if (restricted) {
+ cu_warnx("~X command is not allowed in restricted
mode");
+ break;
+ }
send_xmodem();
break;
case '$':
+ if (restricted) {
+ cu_warnx("~$ command is not allowed in restricted
mode");
+ break;
+ }
pipe_command();
break;
case '>':
+ if (restricted) {
+ cu_warnx("~> command is not allowed in restricted
mode");
+ break;
+ }
send_file();
break;
case '#':
Index: cu.1
===================================================================
RCS file: /cvs/src/usr.bin/cu/cu.1,v
retrieving revision 1.15
diff -u -p -r1.15 cu.1
--- cu.1 18 May 2015 09:35:05 -0000 1.15
+++ cu.1 2 Dec 2017 18:06:25 -0000
@@ -35,7 +35,7 @@
.Nd serial terminal emulator
.Sh SYNOPSIS
.Nm
-.Op Fl d
+.Op Fl dr
.Op Fl l Ar line
.Op Fl s Ar speed | Fl Ar speed
.Nm
@@ -55,6 +55,11 @@ The options are as follows:
Specify that the line is directly connected and
.Nm
should not allow the driver to block waiting for a carrier to be detected.
+.It Fl r
+Starts
+.Nm
+in restricted mode.
+This prevents all local filesystem operations and command executions.
.It Fl l Ar line
Specify the line to use.
Either of the forms like
@@ -114,6 +119,7 @@ process to the remote host.
The command string sent to the local
.Ux
system is processed by the shell.
+This command is not allowed in restricted mode.
.It Ic ~#
Send a
.Dv BREAK
@@ -132,16 +138,21 @@ file descriptors:
1 \*(Lt-\*(Gt remote tty out
2 \*(Lt-\*(Gt local tty stderr
.Ed
+.Pp
+This command is not allowed in restricted mode.
.It Ic ~D
Deassert the data terminal ready (DTR) line briefly.
+This command is not allowed in restricted mode.
.It Ic ~R
Record all output from the remote system to a file.
If the given file already exists, it is appended to.
If no file is specified, any existing recording is stopped.
+This command is not allowed in restricted mode.
.It Ic ~S
Change the speed of the connection.
.It Ic ~X
Send a file with the XMODEM protocol.
+This command is not allowed in restricted mode.
.It Ic ~?
Get a summary of the tilde escapes.
.El
Index: cu.c
===================================================================
RCS file: /cvs/src/usr.bin/cu/cu.c,v
retrieving revision 1.25
diff -u -p -r1.25 cu.c
--- cu.c 22 Aug 2017 16:32:37 -0000 1.25
+++ cu.c 2 Dec 2017 19:28:52 -0000
@@ -42,6 +42,7 @@ struct termios saved_tio;
struct bufferevent *input_ev;
struct bufferevent *output_ev;
int is_direct = -1;
+int restricted = 0;
const char *line_path = NULL;
int line_speed = -1;
int line_fd;
@@ -66,7 +67,7 @@ void try_remote(const char *, const cha
__dead void
usage(void)
{
- fprintf(stderr, "usage: %s [-d] [-l line] [-s speed | -speed]\n",
+ fprintf(stderr, "usage: %s [-dk] [-l line] [-s speed | -speed]\n",
__progname);
fprintf(stderr, " %s [host]\n", __progname);
exit(1);
@@ -100,11 +101,16 @@ main(int argc, char **argv)
errx(1, "speed asprintf");
}
- while ((opt = getopt(argc, argv, "dl:s:")) != -1) {
+ while ((opt = getopt(argc, argv, "drl:s:")) != -1) {
switch (opt) {
case 'd':
is_direct = 1;
break;
+ case 'r':
+ if (pledge("stdio rpath wpath tty", NULL) == -1)
+ err(1, "pledge");
+ restricted = 1;
+ break;
case 'l':
line_path = optarg;
break;
@@ -162,6 +168,8 @@ main(int argc, char **argv)
line_fd = open(line_path, flags);
if (line_fd < 0)
err(1, "open(\"%s\")", line_path);
+ if (restricted && pledge("stdio tty", NULL) == -1)
+ err(1, "pledge");
if (!isatty(line_fd))
err(1, "%s", line_path);
if (ioctl(line_fd, TIOCEXCL) != 0)
Index: cu.h
===================================================================
RCS file: /cvs/src/usr.bin/cu/cu.h,v
retrieving revision 1.7
diff -u -p -r1.7 cu.h
--- cu.h 5 Oct 2015 23:15:31 -0000 1.7
+++ cu.h 2 Dec 2017 19:27:26 -0000
@@ -23,6 +23,7 @@
void do_command(char);
/* cu.c */
+extern int restricted;
extern FILE *record_file;
extern struct termios saved_tio;
extern int line_fd;
