patch 8.2.4282: restricted mode requires the -Z command line option

Problem:    Restricted mode requires the -Z command line option.
Solution:   Use restricted mode when $SHELL ends in "nologin" or "false".
            (closes #9681)

runtime/doc/starting.txt

@@ -256,6 +256,8 @@ a slash.  Thus "-R" means recovery and "-/R" readonly.
 		Interfaces, such as Python, Ruby and Lua, are also disabled,
 		since they could be used to execute shell commands.  Perl uses
 		the Safe module.
+		For Unix restricted mode is used when the last part of $SHELL
+		is "nologin" or "false".
 		Note that the user may still find a loophole to execute a
 		shell command, it has only been made difficult.
 

src/option.c

@@ -307,6 +307,17 @@ set_init_1(int clean_arg)
      */
     set_options_default(0);
 
+#ifdef UNIX
+    // Force restricted-mode on for "nologin" or "false" $SHELL
+    p = get_isolated_shell_name();
+    if (p != NULL)
+    {
+	if (fnamecmp(p, "nologin") == 0 || fnamecmp(p, "false") == 0)
+	    restricted = TRUE;
+	vim_free(p);
+    }
+#endif
+
 #ifdef CLEAN_RUNTIMEPATH
     if (clean_arg)
     {

src/testdir/test_restricted.vim

@@ -105,6 +105,14 @@ func Test_restricted_mode()
   if RunVim([], [], '-Z --clean -S Xrestricted')
     call assert_equal([], readfile('Xresult'))
   endif
+  call delete('Xresult')
+  if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/bin/false ')
+    call assert_equal([], readfile('Xresult'))
+  endif
+  call delete('Xresult')
+  if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/sbin/nologin')
+    call assert_equal([], readfile('Xresult'))
+  endif
 
   call delete('Xrestricted')
   call delete('Xresult')

src/version.c

@@ -746,6 +746,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    4282,
 /**/
     4281,
 /**/