> On Sat, 16 Dec 2017 19:39:27 +0000, Theo de Raadt wrote: > > > On Sat, 16 Dec 2017 18:13:16 +0000, Jiri B wrote: > > > > On Sat, Dec 16, 2017 at 04:55:44PM +0000, kshe wrote: > > > > > Hi, > > > > > > > > > > Would a patch to bring back the `!' command to less(1) be accepted? > > > > > The > > > > > commit message for its removal explains that ^Z should be used > > > > > instead, > > > > > but that obviously does not work if less(1) is run from something else > > > > > than an interactive shell, for example when reading manual pages from > > > > > a > > > > > vi(1) instance spawned directly by `xterm -e vi' in a window manager > > > > > or > > > > > by `neww vi' in a tmux(1) session. > > > > > > > > Why should less be able to spawn another programs? This would undermine > > > > all pledge work. > > > > > > Because of at least `v' and `|', less(1) already is able to invoke > > > arbitrary programs, and accordingly needs the "proc exec" promise, so > > > bringing `!' back would not change anything from a security perspective > > > (otherwise, I would obviously not have made such a proposition). > > > > > > In fact, technically, what I want to do is still currently possible: > > > from any less(1) instance, one may use `v' to invoke vi(1), and then use > > > vi(1)'s own `!' command as desired. So the functionality of `!' is > > > still there; it was only made more difficult to reach for no apparent > > > reason. > > > > No apparent reason? > > > > Good you have an opinion. I have a different opinion: We should look > > for rarely used functionality and gut it. > > I completely agree, and I also completely agree with the rest of what > you said. However, in this particular case, the functionality of `!' is > still fully (albeit indirectly) accessible, as shown above, and this is > why its deletion, when not immediately followed by that of `|' and `v', > made little sense for me.
Oh, so you don't agree. Or do you. I can't tell. You haven't made up your mind enough to have a final position? > Either the commands that require "proc exec" should all be removed along > with that promise, or `!' should be brought back without any pledge(2) > modifications. That is pretty absolutist. The universe is not always consistant, and neither is OpenBSD. The final decisions haven't been made yet, because we haven't gauged the usage patterns. > But currently it really feels like a big waste (for both > parties) to request such high privileges, and then to do almost nothing > useful with them. Request? pledge isn't a "request" system. It is a 2nd specification of the program about maximum it believes it will use, and therefore it is a hard brake. At the moment the featureset still needs "proc exec". So the specification isn't a waste, it is accurate. > If the plan really was to get rid of all such commands eventually, what > exactly is preventing that from happening now? The plan was to get rid of ! in a few commands, then later get rid of a few more of them, and see where we end up. With such plans, we don't always act all on one step, because then it is too easy to get embroiled in just that one battle and forget about the other things which also need doing. Also it is impossible to ask the community because petty fights result and provide innaccurate usage assessments. There are many other things to do. As a result, our universe is not always consistant. This is an example. > May I go ahead and prepare a patch to remove "proc exec" entirely? Sure you could try, and see who freaks out. Exactly what the plan was all along.
