remove -Z ("restricted" mode)

[justinmk]

Followup to #11929 (comment) :

-Z is a fake-secure mode that behaves slightly differently than "sandbox" mode. It sprinkles more whack-a-mole "secure" code in various places.

Does anyone actually use -Z? Where/why is it useful?

It's fragile to expect applications like N/Vim to plug all potential vectors for eval/shell/etc. For secure scenarios, OS permissions should be used instead.

[dstein64]

"Does anyone actually use -Z? Where/why is it useful?"

One use case is for vimgolf, where -Z is passed to the vim command. As is, removing -Z breaks vimgolf for users using GOLFVIM=nvim. Presumably a high proportion of vimgolf users, including those who use Neovim as their primary editor, do not change GOLFVIM—from its default vim—to nvim. However, the existence of vimgolf PRs* related to Neovim compatibility suggests that there will be users affected by this change (unless vimgolf is updated to accommodate).

• Support neovim in vimgolf cli igrigorik/vimgolf#246, use neovim if command is present otherwise use vim igrigorik/vimgolf#264

[bfredl]

@dstein64 does vimgolf rely anything allowed in restricted mode but disabled in the sandbox? because otherwise it could use the sandbox (I don't like sandbox either, but we won't do anything about it except doc updates possibly for 0.5)

[dstein64]

The documentation for sandbox says that "changing the buffer text" is not allowed in the sandbox, which would be a problem if the sandbox is used generally, and not just for normal mode commands.

vimgolf runs locally on users' computers, launching Vim with the -W option to record keystrokes. A few additional options, like -Z and --noplugin are passed so that solutions can only use pure Vim, as opposed to relying on external functionality or plugins. The keystrokes are then sent to the Vimgolf server for submission to the leaderboard.

In case the sandbox would be feasible, is there some way to run Neovim such that all commands are run through the sandbox?