In addition to changing the uid, the method also changes the gid and
properly sets groups. So this patch will also mitigate the security
issue of `pls`.
Error::from_string_literal now takes direct char const*s, while
Error::from_string_view does what Error::from_string_literal used to do:
taking StringViews. This change will remove the need to insert `sv`
after error strings when returning string literal errors once
StringView(char const*) is removed.
No functional changes.
This commit moves the length calculations out to be directly on the
StringView users. This is an important step towards the goal of removing
StringView(char const*), as it moves the responsibility of calculating
the size of the string to the user of the StringView (which will prevent
naive uses causing OOB access).
This allows us to skip storing the actual backing data in a separate
`Vector`, as we know that we are working with `environ`-backed storage
here.
Also, while the logic is currently very similar to what `getenv` does
internally, this allows us to eventually implement custom environment
variable filters while remaining linear in run time.
This allows using pls on a program with arguments more ergonomically,
e.g. `pls -- echo "hello friends"` can now simply be done as:
`pls echo "hello friends"`.
Since this program is setuid-root, it should be as simple as possible.
To that end, remove `/etc/plsusers` and use filesystem permissions to
achieve the same thing. `/bin/pls` is now only executable by `root` or
members of the `wheel` group.
Also remove all the logic that went to great lengths to `unveil()` a
minimal set of filesystem paths that may be used for the command.
The complexity-to-benefit ratio did not seem justified, and I think
we're better off keeping this simple.
Finally, remove pledge promises the moment they are no longer needed.
