I recently installed Prosody after a few years hiatus from XMPP. Previously I used ejabberd, but that was removed from ports. Given the ease of writing modules in Lua generally, and Prosody specifically, I figured it would be relatively simple to add pledge(2) and unveil(2) support.
https://github.com/wahern/prosody-openbsd It was less simple than I anticipated as Prosody's module API doesn't let you control module loading order beyond statically-defined dependencies within each module. Because I was concerned about modules potentially, accidentally loading malicious state from /var/prosody, I wanted to begin isolating the process ASAP, before most other modules were even loaded and had the opportunity to read mutable state, regardless of whether any modules actually did this. (NB: They don't seem to, but I could be wrong, and it could silently change in the future.) Doing this required a non-standard configuration approach that poked at some internal APIs. Other than that, things seem to be working well. But I don't have much experience running a Prosody installation, and am still struggling to get MUC cloud notifications working, so I'm curious if anybody has any suggestions or comments. One improvement I'll likely make soon is to narrow down /var/prosody permissions. Currently /var/prosody (prosody.paths.data) is unveiled with "rwc" by default. But ideally the process would only have write and create permissions to specific files and subdirectories, /var/prosody/prosody.pid, /var/prosody/prosody.log, /var/prosody/$VIRTUALHOST, etc, not the directory entirely. This can be done currently with explicit unveil configuration directives, but a finer-grained unveil'ing should be done by default. In particular log files should be write-only if possible. (Even better would be only using syslog, but even I haven't bothered changing that default configuration.) I need to examine Prosody's storage module(s) to make sure I properly understand the most common layouts and how their paths are specified in the configuration, and perhaps double-check that non-existent directories (in the case of first startup after adding a virtualhost) can be unveil'd similar to files. TIA for comments and suggestions, - Bill
