file is sandboxed and runs as the _file user.
Think of the following: You download a random file from the internet and
analyze it using file. If file has a security hole (local code execution
for example) and the downloaded file is configured to exploit this, it can run
attacks. That’s why the file utility is sandboxed and chrooted by default.
Details:
- ‘CVS: cvs.openbsd.org: src’ - MARC
- CVS log for src/usr.bin/file/Attic/sandbox.c
- ‘CVS: cvs.openbsd.org: src’ - MARC