Re: pledge/unveil: net/gophernicus
On Fri, 18 Jan 2019, Edd Barrett wrote: > Has anyone else had a chance to look at this now that Theo's comments > are (I think/hope) addressed? > > I'm not looking for OKs, but if it "looks good", I'd like to discuss the > changes with upsteam. Just installed it on my personal server. It seems to be working just fine. I could not find any issues, although my testing was not so exhaustive. Cheers, -- Paco Esteban https://onna.be/gpgkey.asc
Re: pledge/unveil: net/gophernicus
Hi, On Tue, Jan 01, 2019 at 09:31:29PM +, Edd Barrett wrote: > Gah, you're right! > > There's no need to unveil /etc/resolv.conf or /etc/pwd.db. > > ... > It turns out DNS is not required at all! So that's why it was working > when I was testing. > > I also realised that none of 'tmppath', 'wpath' or 'cpath' pledges are > required either. > > This brings us to the diff below. Anything else fishy? Has anyone else had a chance to look at this now that Theo's comments are (I think/hope) addressed? I'm not looking for OKs, but if it "looks good", I'd like to discuss the changes with upsteam. Cheers -- Best Regards Edd Barrett http://www.theunixzoo.co.uk
Re: pledge/unveil: net/gophernicus
Hey, On Tue, Jan 01, 2019 at 12:30:04PM -0700, Theo de Raadt wrote: > In particular, specific pledges open up various system files, so those > do not need to be opened via unveil. Gah, you're right! There's no need to unveil /etc/resolv.conf or /etc/pwd.db. > The lack of pledge "dns" but opening of resolv.conf shows a further > misunderstanding, and also a lack of testing. It turns out DNS is not required at all! So that's why it was working when I was testing. I also realised that none of 'tmppath', 'wpath' or 'cpath' pledges are required either. This brings us to the diff below. Anything else fishy? (Does anyone on-list host a real gopher site that they could test with?) Cheers! Index: Makefile === RCS file: /cvs/ports/net/gophernicus/Makefile,v retrieving revision 1.17 diff -u -p -r1.17 Makefile --- Makefile4 Sep 2018 12:46:17 - 1.17 +++ Makefile31 Dec 2018 19:30:19 - @@ -3,7 +3,7 @@ COMMENT= modern gopher server DISTNAME= gophernicus-2.5 CATEGORIES=net -REVISION= 0 +REVISION= 1 HOMEPAGE= gopher://gophernicus.org/ MAINTAINER = Brian Callahan Index: patches/patch-README === RCS file: patches/patch-README diff -N patches/patch-README --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-README1 Jan 2019 16:01:17 - @@ -0,0 +1,17 @@ +$OpenBSD$ + +Pledge and unveil. Based upon: +https://github.com/0x16h/gophernicus/commit/1f61d46a5ebb061d5862a6a61e296b473c169ec6 + +Index: README +--- README.orig README +@@ -43,6 +43,8 @@ Command line options: + -nm Disable shared memory use (for debugging) + -nr Disable root user checking (for debugging) + -np Disable HAproxy proxy protocol ++-ne Disable executable gophermaps ++-nu Disable personal gopherspaces + + -dDebug to syslog (not for production use) + -vDisplay version number and build date Index: patches/patch-gophernicus_c === RCS file: patches/patch-gophernicus_c diff -N patches/patch-gophernicus_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-gophernicus_c 1 Jan 2019 21:26:28 - @@ -0,0 +1,155 @@ +$OpenBSD$ + +Pledge and unveil. Based upon: +https://github.com/0x16h/gophernicus/commit/1f61d46a5ebb061d5862a6a61e296b473c169ec6 + +Index: gophernicus.c +--- gophernicus.c.orig gophernicus.c +@@ -219,7 +219,8 @@ void selector_to_path(state *st) + + #ifdef HAVE_PASSWD + /* Virtual userdir (~user -> /home/user/public_gopher)? */ +- if (*(st->user_dir) && sstrncmp(st->req_selector, "/~") == MATCH) { ++ if (st->opt_personal_spaces && *(st->user_dir) && ++ sstrncmp(st->req_selector, "/~") == MATCH) { + + /* Parse userdir login name & path */; + sstrlcpy(buf, st->req_selector + 2); +@@ -453,6 +454,8 @@ void init_state(state *st) + st->opt_shm = TRUE; + st->opt_root = TRUE; + st->opt_proxy = TRUE; ++ st->opt_execmaps = TRUE; ++ st->opt_personal_spaces = TRUE; + st->debug = FALSE; + + /* Load default suffix -> filetype mappings */ +@@ -488,6 +491,9 @@ int main(int argc, char *argv[]) + char local[BUFSIZE]; + int dummy; + #endif ++#ifdef __OpenBSD__ ++ char pledges[256]; ++#endif + + /* Get the name of this binary */ + if ((c = strrchr(argv[0], '/'))) sstrlcpy(self, c + 1); +@@ -506,6 +512,67 @@ int main(int argc, char *argv[]) + /* Open syslog() */ + if (st.opt_syslog) openlog(self, LOG_PID, LOG_DAEMON); + ++#ifdef __OpenBSD__ ++ /* unveil(2) support */ ++ if (st.opt_execmaps) { ++ /* ++ * We can't really unveil(2) if the user is expecting to shell-out ++ * to an arbitrary command. ++ */ ++ if (st.opt_syslog) { ++ syslog(LOG_WARNING, ++ "executable gophermaps enabled, can't unveil(2)"); ++ } ++ } else { ++ /* Always unveil the server root */ ++ if (unveil(st.server_root, "r") == -1) ++ die(, NULL, "unveil"); ++ ++ /* ++ * Personal spaces serve "gopher://host/1/~user; from ++ * "/home/user/public_gopher". ++ */ ++ if (st.opt_personal_spaces) { ++ syslog(LOG_WARNING, ++ "personal gopherspaces enabled, unveil(2) /home"); ++ if (unveil("/home", "r") == -1) ++ die(, NULL, "unveil"); ++ } ++ } ++ ++ /* pledge(2) support */ ++ if (st.opt_shm) { ++ /* ++ * pledge(2) never allows shared memory. ++ */ ++ if
Re: pledge/unveil: net/gophernicus
The proposed diff contains many problems, and demonstrate that pledge and unveil are not well understood. In particular, specific pledges open up various system files, so those do not need to be opened via unveil. Thos unveil calls are misguided. This is a pretty strange misunderstanding. The lack of pledge "dns" but opening of resolv.conf shows a further misunderstanding, and also a lack of testing. DNS lookups cannot be working with this diff. If you open up /etc/resolv.conf, but don't allow the opening of "dns sockets" by pledging "dns", it ain't gonna work. As provided, this diff surely breaks the program. And wasn't spotted during testing. >Having been interested in learning about pledge and unveil, I decided to >try and tighten up net/gophernicus (just in time for the hipster >resurgence of gopher you've all been waiting for :P ). > >It turned out to be harder than expected, due to some of the features >and design decisions made upstream (shared memory, arbitrary popens, >personal "gopherspaces"), but I think I have something workable. > >In short, it depends what features you have enabled as to how far we can >tighten up security. The new section in the README should serve as an >overview. > >This work is loosely based on: >https://cryogenix.net/gophernicus.html > >(But note that I'm not addressing TLS support here) > >Posting for comments before I propose this to upstream. I'd rather not >have to maintain this as local patches. > >Happy new year porters! > > >Index: Makefile >=== >RCS file: /cvs/ports/net/gophernicus/Makefile,v >retrieving revision 1.17 >diff -u -p -r1.17 Makefile >--- Makefile 4 Sep 2018 12:46:17 - 1.17 >+++ Makefile 31 Dec 2018 19:30:19 - >@@ -3,7 +3,7 @@ > COMMENT= modern gopher server > DISTNAME= gophernicus-2.5 > CATEGORIES= net >-REVISION= 0 >+REVISION= 1 > > HOMEPAGE= gopher://gophernicus.org/ > MAINTAINER = Brian Callahan >Index: patches/patch-README >=== >RCS file: patches/patch-README >diff -N patches/patch-README >--- /dev/null 1 Jan 1970 00:00:00 - >+++ patches/patch-README 1 Jan 2019 16:01:17 - >@@ -0,0 +1,17 @@ >+$OpenBSD$ >+ >+Pledge and unveil. Based upon: >+https://github.com/0x16h/gophernicus/commit/1f61d46a5ebb061d5862a6a61e296b473c169ec6 >+ >+Index: README >+--- README.orig > README >+@@ -43,6 +43,8 @@ Command line options: >+ -nm Disable shared memory use (for debugging) >+ -nr Disable root user checking (for debugging) >+ -np Disable HAproxy proxy protocol >++-ne Disable executable gophermaps >++-nu Disable personal gopherspaces >+ >+ -dDebug to syslog (not for production use) >+ -vDisplay version number and build date >Index: patches/patch-gophernicus_c >=== >RCS file: patches/patch-gophernicus_c >diff -N patches/patch-gophernicus_c >--- /dev/null 1 Jan 1970 00:00:00 - >+++ patches/patch-gophernicus_c1 Jan 2019 15:58:47 - >@@ -0,0 +1,174 @@ >+$OpenBSD$ >+ >+Pledge and unveil. Based upon: >+https://github.com/0x16h/gophernicus/commit/1f61d46a5ebb061d5862a6a61e296b473c169ec6 >+ >+Index: gophernicus.c >+--- gophernicus.c.orig > gophernicus.c >+@@ -25,7 +25,6 @@ >+ >+ #include "gophernicus.h" >+ >+- >+ /* >+ * Print gopher menu line >+ */ >+@@ -219,7 +218,8 @@ void selector_to_path(state *st) >+ >+ #ifdef HAVE_PASSWD >+ /* Virtual userdir (~user -> /home/user/public_gopher)? */ >+- if (*(st->user_dir) && sstrncmp(st->req_selector, "/~") == MATCH) { >++ if (st->opt_personal_spaces && *(st->user_dir) && >++ sstrncmp(st->req_selector, "/~") == MATCH) { >+ >+ /* Parse userdir login name & path */; >+ sstrlcpy(buf, st->req_selector + 2); >+@@ -453,6 +453,8 @@ void init_state(state *st) >+ st->opt_shm = TRUE; >+ st->opt_root = TRUE; >+ st->opt_proxy = TRUE; >++ st->opt_execmaps = TRUE; >++ st->opt_personal_spaces = TRUE; >+ st->debug = FALSE; >+ >+ /* Load default suffix -> filetype mappings */ >+@@ -488,6 +490,9 @@ int main(int argc, char *argv[]) >+ char local[BUFSIZE]; >+ int dummy; >+ #endif >++#ifdef __OpenBSD__ >++ char pledges[256]; >++#endif >+ >+ /* Get the name of this binary */ >+ if ((c = strrchr(argv[0], '/'))) sstrlcpy(self, c + 1); >+@@ -506,6 +511,78 @@ int main(int argc, char *argv[]) >+ /* Open syslog() */ >+ if (st.opt_syslog) openlog(self, LOG_PID, LOG_DAEMON); >+ >++#ifdef __OpenBSD__ >++ /* unveil(2) support */ >++ if (st.opt_execmaps) { >++ /* >++ * We can't really unveil(2) if the user is expecting to >shell-out >++ * to an arbitrary command. >++ */ >++ if
pledge/unveil: net/gophernicus
Hey, Having been interested in learning about pledge and unveil, I decided to try and tighten up net/gophernicus (just in time for the hipster resurgence of gopher you've all been waiting for :P ). It turned out to be harder than expected, due to some of the features and design decisions made upstream (shared memory, arbitrary popens, personal "gopherspaces"), but I think I have something workable. In short, it depends what features you have enabled as to how far we can tighten up security. The new section in the README should serve as an overview. This work is loosely based on: https://cryogenix.net/gophernicus.html (But note that I'm not addressing TLS support here) Posting for comments before I propose this to upstream. I'd rather not have to maintain this as local patches. Happy new year porters! Index: Makefile === RCS file: /cvs/ports/net/gophernicus/Makefile,v retrieving revision 1.17 diff -u -p -r1.17 Makefile --- Makefile4 Sep 2018 12:46:17 - 1.17 +++ Makefile31 Dec 2018 19:30:19 - @@ -3,7 +3,7 @@ COMMENT= modern gopher server DISTNAME= gophernicus-2.5 CATEGORIES=net -REVISION= 0 +REVISION= 1 HOMEPAGE= gopher://gophernicus.org/ MAINTAINER = Brian Callahan Index: patches/patch-README === RCS file: patches/patch-README diff -N patches/patch-README --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-README1 Jan 2019 16:01:17 - @@ -0,0 +1,17 @@ +$OpenBSD$ + +Pledge and unveil. Based upon: +https://github.com/0x16h/gophernicus/commit/1f61d46a5ebb061d5862a6a61e296b473c169ec6 + +Index: README +--- README.orig README +@@ -43,6 +43,8 @@ Command line options: + -nm Disable shared memory use (for debugging) + -nr Disable root user checking (for debugging) + -np Disable HAproxy proxy protocol ++-ne Disable executable gophermaps ++-nu Disable personal gopherspaces + + -dDebug to syslog (not for production use) + -vDisplay version number and build date Index: patches/patch-gophernicus_c === RCS file: patches/patch-gophernicus_c diff -N patches/patch-gophernicus_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-gophernicus_c 1 Jan 2019 15:58:47 - @@ -0,0 +1,174 @@ +$OpenBSD$ + +Pledge and unveil. Based upon: +https://github.com/0x16h/gophernicus/commit/1f61d46a5ebb061d5862a6a61e296b473c169ec6 + +Index: gophernicus.c +--- gophernicus.c.orig gophernicus.c +@@ -25,7 +25,6 @@ + + #include "gophernicus.h" + +- + /* + * Print gopher menu line + */ +@@ -219,7 +218,8 @@ void selector_to_path(state *st) + + #ifdef HAVE_PASSWD + /* Virtual userdir (~user -> /home/user/public_gopher)? */ +- if (*(st->user_dir) && sstrncmp(st->req_selector, "/~") == MATCH) { ++ if (st->opt_personal_spaces && *(st->user_dir) && ++ sstrncmp(st->req_selector, "/~") == MATCH) { + + /* Parse userdir login name & path */; + sstrlcpy(buf, st->req_selector + 2); +@@ -453,6 +453,8 @@ void init_state(state *st) + st->opt_shm = TRUE; + st->opt_root = TRUE; + st->opt_proxy = TRUE; ++ st->opt_execmaps = TRUE; ++ st->opt_personal_spaces = TRUE; + st->debug = FALSE; + + /* Load default suffix -> filetype mappings */ +@@ -488,6 +490,9 @@ int main(int argc, char *argv[]) + char local[BUFSIZE]; + int dummy; + #endif ++#ifdef __OpenBSD__ ++ char pledges[256]; ++#endif + + /* Get the name of this binary */ + if ((c = strrchr(argv[0], '/'))) sstrlcpy(self, c + 1); +@@ -506,6 +511,78 @@ int main(int argc, char *argv[]) + /* Open syslog() */ + if (st.opt_syslog) openlog(self, LOG_PID, LOG_DAEMON); + ++#ifdef __OpenBSD__ ++ /* unveil(2) support */ ++ if (st.opt_execmaps) { ++ /* ++ * We can't really unveil(2) if the user is expecting to shell-out ++ * to an arbitrary command. ++ */ ++ if (st.opt_syslog) { ++ syslog(LOG_WARNING, ++ "executable gophermaps enabled, can't unveil(2)"); ++ } ++ } else { ++ /* These paths must always available */ ++ if (unveil("/tmp", "rcw") == -1) ++ die(, NULL, "unveil"); ++ if (unveil("/etc/hosts", "r") == -1) ++ die(, NULL, "unveil"); ++ if (unveil("/etc/resolv.conf", "r") == -1) ++ die(, NULL, "unveil"); ++ if (unveil(st.server_root, "r") == -1) ++ die(, NULL, "unveil"); ++ ++ /* ++ * Personal spaces serve "gopher://host/1/~user; from ++ *