In secure mode (-S), skip sending mail when executing the :pre[serve]

command or when dying from SIGTERM.  This way, creating the recovery
file works again without re-adding "proc exec" to the pledge(2).
As reported by Jesper Wallin <jesper at ifconfig dot se>, this got
broken by common/main.c rev. 1.29 (Nov 19, 2015).
The general direction of the fix was suggested by brynet@.
OK brynet@ and no opposition when shown on tech@

1 files changed, 10 insertions, 1 deletions

diff --git a/usr.bin/vi/common/recover.c b/usr.bin/vi/common/recover.c
index 1d4b824cae8..e3ae19b7e58 100644
--- a/usr.bin/vi/common/recover.c
+++ b/usr.bin/vi/common/recover.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: recover.c,v 1.29 2017/11/10 18:25:48 martijn Exp $	*/
+/*	$OpenBSD: recover.c,v 1.30 2019/07/22 12:39:02 schwarze Exp $	*/
 
 /*-
  * Copyright (c) 1993, 1994
@@ -821,6 +821,15 @@ rcv_email(SCR *sp, int fd)
 	struct stat sb;
 	pid_t pid;
 
+	/*
+	 * In secure mode, our pledge(2) includes neither "proc"
+	 * nor "exec".  So simply skip sending the mail.
+	 * Later vi -r still works because rcv_mailfile()
+	 * already did all the necessary setup.
+	 */
+	if (O_ISSET(sp, O_SECURE))
+		return;
+
 	if (_PATH_SENDMAIL[0] != '/' || stat(_PATH_SENDMAIL, &sb) == -1)
 		msgq_str(sp, M_SYSERR,
 		    _PATH_SENDMAIL, "not sending email: %s");