I think I found a way to configure the redis.conf to connect to redis through a unix socket instead, which will seem to clean up some stuff. If I need to later, I could probably spawn a process to relay commands from a unix socket to an inet socket that is limited to a single port through a different user through pf (and when I get a more serious machine, possibly through a unique interface). Most importantly, I need it for session cache for multiple processes. On Sat, Apr 29, 2017 at 10:02 AM Luke Small <lukensm...@gmail.com> wrote:
> I have a program that I believe needs inet to talk to a > database(libhiredis). I do pass file descriptors to it. I don't suppose > making it run as a different user and limiting the pf config would really > lock it down without losing functionality. Maybe I'm too paranoid. > On Sat, Apr 29, 2017 at 9:51 AM Reyk Floeter <r...@openbsd.org> wrote: > >> >> > Am 26.04.2017 um 13:38 schrieb Luke Small <lukensm...@gmail.com>: >> > >> > Pledge will presumably have per process (including fork()ed process) >> **path >> > limitations on rpath rpath and wpath calls, why not limitations on inet >> and >> > unix? >> >> We usually want to isolate our network speakers from the local system - >> combining inet and rpath/wpath should be avoided. >> >> Use privsep and fd passing to open the socket in another process with the >> capability to do so. >> >> This is what we do in most daemons. >> >> Or open the socket before pledge for static configurations. >> >> Reyk >> >> >> On Wed, Apr 26, 2017 at 6:26 AM Janne Johansson <icepic...@gmail.com> >> wrote: >> >> >> >> 2017-04-26 13:19 GMT+02:00 Luke Small <lukensm...@gmail.com>: >> >> >> >>> I'm not saying to alter pledge necessarily, maybe make new system call >> >>> like pledge. There aren't any per-process pf rules that are applied. >> >> >> >> >> >> If your daemon has a specific user, you can make such rules in PF. >> >> The goal you stated can be reached already, why keep on suggesting new >> >> syscalls? >> >> >> >> >> >> -- >> >> May the most significant bit of your life be positive. >> >> >> >>