On 2019/07/14 17:18, Klemens Nanni wrote:
> On Sun, Jul 14, 2019 at 03:46:06PM +0200, Stefan Sperling wrote:
> > Overriding gitdaemon_flags in /etc/r.conf.local will cause rc.d to
> > run git-daemon run as root instead of the expected _gitdaemon user.
> Well, you ought to check the existing daemon flags before changing them.
>
> Admittedly, this is suboptimal and users have to carry the options along
> themselves, but some third-party daemons will not work with `daemon_user`,
> and I believe git-daemon(1) is one of them.
>
> >
> > To reproduce, try an rc.conf.local line such as:
> > gitdaemon_flags=--listen=127.0.0.1 /git
> >
> > This happens because the rc script currently depends on git-daemon itself
> > to switch the user ID, rather than using rc.d's built-in mechanism which
> > forces a UID with su(1). If the user overrides the flags, no UID switch
> > will happen.
> Off the top of my head, I know that this is the case for security/hitch
> and net/tinc as well. I remember discussion about putting `-u $user'
> into `$daemon' itself to enforce the user for cases where our rc.subr(8)
> framework is not applicable, but there were objections.
>
> > Anyone exposing git-daemon to the public internet on an OpenBSD system
> > should check their system. This line in rc.conf.local will force the
> > daemon to run under its dedicated user account:
> > gitdaemon_user=_gitdaemon
> This will also (partially?) break git-daemon(1)'s `--inetd' option,
> I think. From the manual:
You wouldn't be using --inetd in a rcctl-started daemon.
> --user=<user>, --group=<group>
> Change daemon’s uid and gid before entering the service loop. When
> only --user is given without --group, the primary group ID for the
> user is used. The values of the option are given to getpwnam(3) and
> getgrnam(3) and numeric IDs are not supported.
>
> Giving these options is an error when used with --inetd; use the
> facility of inet daemon to achieve the same before spawning git
> daemon if needed.
>
> Like many programs that switch user id, the daemon does not reset
> environment variables such as $HOME when it runs git programs, e.g.
>
> So switching to "_gitdaemon" at runtime and starting as it through su(1)
> is not the same.
>
> > Note that git-daemon does not support any of the standard exploit
> > mitigation measures regular OpenBSD daemons provide; there is not
> > even support for chroot(8).
> >
> > Fix for the port:
> This seems like the right direction and I support setups with less
> potential to accidentially run things as root, but existing setups might
> break.
>
I think this is likely to work for git-daemon but isn't always going
to work in the general case (sometimes a daemon needs to bind to port <1024,
for example). So maybe it's better if we come up with a more general thing
that can be copied and pasted (after all rc.d/gitdaemon is going to be
present on many users' and devs' machines so it's not a bad place for
a reusable example).
Hardcoding a username in $daemon won't always work, somebody might need
to run as a different uid. Another approach might be a custom rc_start
that starts the daemon as root and adds --user=${daemon_user} etc to the
command line.
