Because pledge(2) does not allow us to pass directory file descriptors

around, we can't use file descriptors for the working directory because
we will be unable to pass it to a privileged process to tell it where to
read or write files or spawn children. So move tmux back to using
strings for the current working directory. We try to check it exists
with access() when it is set but ultimately fall back to ~ if it fails
at time of use (or / if that fails too).

cmd-load-buffer.c

@@ -49,10 +49,10 @@ cmd_load_buffer_exec(struct cmd *self, struct cmd_q *cmdq)
 	struct client	*c = cmdq->client;
 	struct session  *s;
 	FILE		*f;
-	const char	*path, *bufname;
-	char		*pdata, *new_pdata, *cause;
+	const char	*path, *bufname, *cwd;
+	char		*pdata, *new_pdata, *cause, *file, resolved[PATH_MAX];
 	size_t		 psize;
-	int		 ch, error, cwd, fd;
+	int		 ch, error;
 
 	bufname = NULL;
 	if (args_has(args, 'b'))
@@ -75,13 +75,16 @@ cmd_load_buffer_exec(struct cmd *self, struct cmd_q *cmdq)
 	else if ((s = cmd_find_current(cmdq)) != NULL)
 		cwd = s->cwd;
 	else
-		cwd = AT_FDCWD;
+		cwd = ".";
 
-	if ((fd = openat(cwd, path, O_RDONLY)) == -1 ||
-	    (f = fdopen(fd, "rb")) == NULL) {
-		if (fd != -1)
-			close(fd);
-		cmdq_error(cmdq, "%s: %s", path, strerror(errno));
+	xasprintf(&file, "%s/%s", cwd, path);
+	if (realpath(file, resolved) == NULL)
+		f = NULL;
+	else
+		f = fopen(resolved, "rb");
+	free(file);
+	if (f == NULL) {
+		cmdq_error(cmdq, "%s: %s", resolved, strerror(errno));
 		return (CMD_RETURN_ERROR);
 	}
 
@@ -97,7 +100,7 @@ cmd_load_buffer_exec(struct cmd *self, struct cmd_q *cmdq)
 		pdata[psize++] = ch;
 	}
 	if (ferror(f)) {
-		cmdq_error(cmdq, "%s: read error", path);
+		cmdq_error(cmdq, "%s: read error", resolved);
 		goto error;
 	}
 	if (pdata != NULL)