On 2019/07/14 17:18, Klemens Nanni wrote: > On Sun, Jul 14, 2019 at 03:46:06PM +0200, Stefan Sperling wrote: > > Overriding gitdaemon_flags in /etc/r.conf.local will cause rc.d to > > run git-daemon run as root instead of the expected _gitdaemon user. > Well, you ought to check the existing daemon flags before changing them. > > Admittedly, this is suboptimal and users have to carry the options along > themselves, but some third-party daemons will not work with `daemon_user`, > and I believe git-daemon(1) is one of them. > > > > > To reproduce, try an rc.conf.local line such as: > > gitdaemon_flags=--listen=127.0.0.1 /git > > > > This happens because the rc script currently depends on git-daemon itself > > to switch the user ID, rather than using rc.d's built-in mechanism which > > forces a UID with su(1). If the user overrides the flags, no UID switch > > will happen. > Off the top of my head, I know that this is the case for security/hitch > and net/tinc as well. I remember discussion about putting `-u $user' > into `$daemon' itself to enforce the user for cases where our rc.subr(8) > framework is not applicable, but there were objections. > > > Anyone exposing git-daemon to the public internet on an OpenBSD system > > should check their system. This line in rc.conf.local will force the > > daemon to run under its dedicated user account: > > gitdaemon_user=_gitdaemon > This will also (partially?) break git-daemon(1)'s `--inetd' option, > I think. From the manual:
You wouldn't be using --inetd in a rcctl-started daemon. > --user=<user>, --group=<group> > Change daemon’s uid and gid before entering the service loop. When > only --user is given without --group, the primary group ID for the > user is used. The values of the option are given to getpwnam(3) and > getgrnam(3) and numeric IDs are not supported. > > Giving these options is an error when used with --inetd; use the > facility of inet daemon to achieve the same before spawning git > daemon if needed. > > Like many programs that switch user id, the daemon does not reset > environment variables such as $HOME when it runs git programs, e.g. > > So switching to "_gitdaemon" at runtime and starting as it through su(1) > is not the same. > > > Note that git-daemon does not support any of the standard exploit > > mitigation measures regular OpenBSD daemons provide; there is not > > even support for chroot(8). > > > > Fix for the port: > This seems like the right direction and I support setups with less > potential to accidentially run things as root, but existing setups might > break. > I think this is likely to work for git-daemon but isn't always going to work in the general case (sometimes a daemon needs to bind to port <1024, for example). So maybe it's better if we come up with a more general thing that can be copied and pasted (after all rc.d/gitdaemon is going to be present on many users' and devs' machines so it's not a bad place for a reusable example). Hardcoding a username in $daemon won't always work, somebody might need to run as a different uid. Another approach might be a custom rc_start that starts the daemon as root and adds --user=${daemon_user} etc to the command line.