Restricted lf

[avidseeker]

Vim and nano packages include more restricted versions rvim and rnano that minimize their capabilities in order to be safe to run as root.

Thoughts on creating a similar stripped-down version of lf?

[bogdan-the-great]

What would be different in normal and restricted lf?

[valoq]

rvim
                 Like the above, but with restrictions.  It will not be possible to  start  shell  commands,  or
                 suspend Vim.  Can also be done with the "-Z" argument.

       rnano runs the nano editor in restricted mode.  This allows editing only the specified file or files, and
       doesn't allow the user access to the filesystem nor to a command shell.

       In restricted mode, nano will:
       • not make backups;
       • not allow suspending;
       • not allow spell checking;
       • not read nor write the history files;
       • not allow saving the current buffer under a different name;
       • not allow inserting another file or opening a new buffer;
       • not allow appending or prepending to any file.

The rvim and rnano version both disable some dangerous features that are available by default in their normal version.
lf does support a number of features that could be considered dangerous, but none of them are enabled by default and must be manually configured through a custom lfrc file. Even the default lfrc.example file in this repository does not include dangerous features like file preview (other then plain text) or image preview.
The only dangerous features in lf would be those the user explicitly configures through lfrc, which they would have to do either globally or for root specifically to become a risk exposed to privileged users.

lf lf is run as root without a custom lfrc, which would have to be manually installed by the user, there should be no dangerous features available in the sense of rvim or rnano restrictions. Manually configured file preview scripts would probably represent the most significant risks in lf in general. If security is a concern, there is an easy to configure option to execute the preview script in a sandbox which will reduce the risks significantly.

Alternatively you can also use apparmor to confine applications that are automatically executed by lf preview scripts. https://github.com/roddhjav/apparmor.d is a decent collection of profiles that include most of such application.