# HG changeset patch # User Bram Moolenaar # Date 1643736605 -3600 # Node ID ef32ea9fbe6c9b1818eba946e9207be9495a0f98 # Parent 6708c3906c35aee9bdcc5d37794e387e101980d8 patch 8.2.4282: restricted mode requires the -Z command line option Commit: https://github.com/vim/vim/commit/adbb1bf21dad5697cd82d46d9dd9e8e8d0f647e6 Author: matveyt Date: Tue Feb 1 17:26:12 2022 +0000 patch 8.2.4282: restricted mode requires the -Z command line option Problem: Restricted mode requires the -Z command line option. Solution: Use restricted mode when $SHELL ends in "nologin" or "false". (closes #9681) diff --git a/runtime/doc/starting.txt b/runtime/doc/starting.txt --- a/runtime/doc/starting.txt +++ b/runtime/doc/starting.txt @@ -256,6 +256,8 @@ a slash. Thus "-R" means recovery and " Interfaces, such as Python, Ruby and Lua, are also disabled, since they could be used to execute shell commands. Perl uses the Safe module. + For Unix restricted mode is used when the last part of $SHELL + is "nologin" or "false". Note that the user may still find a loophole to execute a shell command, it has only been made difficult. diff --git a/src/option.c b/src/option.c --- a/src/option.c +++ b/src/option.c @@ -307,6 +307,17 @@ set_init_1(int clean_arg) */ set_options_default(0); +#ifdef UNIX + // Force restricted-mode on for "nologin" or "false" $SHELL + p = get_isolated_shell_name(); + if (p != NULL) + { + if (fnamecmp(p, "nologin") == 0 || fnamecmp(p, "false") == 0) + restricted = TRUE; + vim_free(p); + } +#endif + #ifdef CLEAN_RUNTIMEPATH if (clean_arg) { diff --git a/src/testdir/test_restricted.vim b/src/testdir/test_restricted.vim --- a/src/testdir/test_restricted.vim +++ b/src/testdir/test_restricted.vim @@ -105,6 +105,14 @@ func Test_restricted_mode() if RunVim([], [], '-Z --clean -S Xrestricted') call assert_equal([], readfile('Xresult')) endif + call delete('Xresult') + if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/bin/false ') + call assert_equal([], readfile('Xresult')) + endif + call delete('Xresult') + if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/sbin/nologin') + call assert_equal([], readfile('Xresult')) + endif call delete('Xrestricted') call delete('Xresult') diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -747,6 +747,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 4282, +/**/ 4281, /**/ 4280,