From 087a5e3bded332da879c0e9d84daad080bd11b0c Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Sun, 10 Dec 2017 01:03:46 +0000
Subject: [PATCH] -r restricted mode blocks certain operations as ~ operations.
 from Jan Klemkow ok nicm

---
 usr.bin/cu/command.c |  8 +++++++-
 usr.bin/cu/cu.1      | 17 ++++++++++++++---
 usr.bin/cu/cu.c      | 14 +++++++++++---
 usr.bin/cu/cu.h      |  3 ++-
 4 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/usr.bin/cu/command.c b/usr.bin/cu/command.c
index 9ae8e9adf9c..c07fe73aeca 100644
--- a/usr.bin/cu/command.c
+++ b/usr.bin/cu/command.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: command.c,v 1.15 2015/10/05 23:15:31 nicm Exp $ */
+/* $OpenBSD: command.c,v 1.16 2017/12/10 01:03:46 deraadt Exp $ */
 
 /*
  * Copyright (c) 2012 Nicholas Marriott <nicm@openbsd.org>
@@ -28,6 +28,7 @@
 #include <signal.h>
 #include <stdlib.h>
 #include <stdio.h>
+#include <string.h>
 #include <unistd.h>
 
 #include "cu.h"
@@ -222,6 +223,11 @@ start_record(void)
 void
 do_command(char c)
 {
+	if (restricted && strchr("CRX$>", c) != NULL) {
+		cu_warnx("~%c command is not allowed in restricted mode", c);
+		return;
+	}
+
 	switch (c) {
 	case '.':
 	case '\004': /* ^D */
diff --git a/usr.bin/cu/cu.1 b/usr.bin/cu/cu.1
index 2f1a3c836c6..3f47560afde 100644
--- a/usr.bin/cu/cu.1
+++ b/usr.bin/cu/cu.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: cu.1,v 1.15 2015/05/18 09:35:05 nicm Exp $
+.\"	$OpenBSD: cu.1,v 1.16 2017/12/10 01:03:46 deraadt Exp $
 .\"
 .\" Copyright (c) 1980, 1990, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 18 2015 $
+.Dd $Mdocdate: December 10 2017 $
 .Dt CU 1
 .Os
 .Sh NAME
@@ -35,7 +35,7 @@
 .Nd serial terminal emulator
 .Sh SYNOPSIS
 .Nm
-.Op Fl d
+.Op Fl dr
 .Op Fl l Ar line
 .Op Fl s Ar speed | Fl Ar speed
 .Nm
@@ -55,6 +55,11 @@ The options are as follows:
 Specify that the line is directly connected and
 .Nm
 should not allow the driver to block waiting for a carrier to be detected.
+.It Fl r
+Starts
+.Nm
+in restricted mode.
+This prevents all local filesystem operations and command executions.
 .It Fl l Ar line
 Specify the line to use.
 Either of the forms like
@@ -114,6 +119,7 @@ process to the remote host.
 The command string sent to the local
 .Ux
 system is processed by the shell.
+This command is not allowed in restricted mode.
 .It Ic ~#
 Send a
 .Dv BREAK
@@ -132,16 +138,21 @@ file descriptors:
 1 \*(Lt-\*(Gt remote tty out
 2 \*(Lt-\*(Gt local tty stderr
 .Ed
+.Pp
+This command is not allowed in restricted mode.
 .It Ic ~D
 Deassert the data terminal ready (DTR) line briefly.
+This command is not allowed in restricted mode.
 .It Ic ~R
 Record all output from the remote system to a file.
 If the given file already exists, it is appended to.
 If no file is specified, any existing recording is stopped.
+This command is not allowed in restricted mode.
 .It Ic ~S
 Change the speed of the connection.
 .It Ic ~X
 Send a file with the XMODEM protocol.
+This command is not allowed in restricted mode.
 .It Ic ~?
 Get a summary of the tilde escapes.
 .El
diff --git a/usr.bin/cu/cu.c b/usr.bin/cu/cu.c
index 8d1935a11c2..03a2df4181f 100644
--- a/usr.bin/cu/cu.c
+++ b/usr.bin/cu/cu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cu.c,v 1.25 2017/08/22 16:32:37 mestre Exp $ */
+/* $OpenBSD: cu.c,v 1.26 2017/12/10 01:03:46 deraadt Exp $ */
 
 /*
  * Copyright (c) 2012 Nicholas Marriott <nicm@openbsd.org>
@@ -42,6 +42,7 @@ struct termios		 saved_tio;
 struct bufferevent	*input_ev;
 struct bufferevent	*output_ev;
 int			 is_direct = -1;
+int			 restricted = 0;
 const char		*line_path = NULL;
 int			 line_speed = -1;
 int			 line_fd;
@@ -66,7 +67,7 @@ void		try_remote(const char *, const char *, const char *);
 __dead void
 usage(void)
 {
-	fprintf(stderr, "usage: %s [-d] [-l line] [-s speed | -speed]\n",
+	fprintf(stderr, "usage: %s [-dr] [-l line] [-s speed | -speed]\n",
 	    __progname);
 	fprintf(stderr, "       %s [host]\n", __progname);
 	exit(1);
@@ -100,11 +101,16 @@ main(int argc, char **argv)
 			errx(1, "speed asprintf");
 	}
 
-	while ((opt = getopt(argc, argv, "dl:s:")) != -1) {
+	while ((opt = getopt(argc, argv, "drl:s:")) != -1) {
 		switch (opt) {
 		case 'd':
 			is_direct = 1;
 			break;
+		case 'r':
+			if (pledge("stdio rpath wpath tty", NULL) == -1)
+				err(1, "pledge");
+			restricted = 1;
+			break;
 		case 'l':
 			line_path = optarg;
 			break;
@@ -162,6 +168,8 @@ main(int argc, char **argv)
 	line_fd = open(line_path, flags);
 	if (line_fd < 0)
 		err(1, "open(\"%s\")", line_path);
+	if (restricted && pledge("stdio tty", NULL) == -1)
+		err(1, "pledge");
 	if (!isatty(line_fd))
 		err(1, "%s", line_path);
 	if (ioctl(line_fd, TIOCEXCL) != 0)
diff --git a/usr.bin/cu/cu.h b/usr.bin/cu/cu.h
index 10745bc037a..2a7ca45d414 100644
--- a/usr.bin/cu/cu.h
+++ b/usr.bin/cu/cu.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: cu.h,v 1.7 2015/10/05 23:15:31 nicm Exp $ */
+/* $OpenBSD: cu.h,v 1.8 2017/12/10 01:03:46 deraadt Exp $ */
 
 /*
  * Copyright (c) 2012 Nicholas Marriott <nicm@openbsd.org>
@@ -23,6 +23,7 @@
 void				 do_command(char);
 
 /* cu.c */
+extern int			 restricted;
 extern FILE			*record_file;
 extern struct termios		 saved_tio;
 extern int			 line_fd;
-- 
2.20.1