[PATCH v3] Tighter pledges for ftp(1)

2020-05-03 Thread Demi M. Obenour
This prevents non-interactive invocations of ftp(1) from spawning external commands in case they are compromised. This is a significant security benefit for sysupgrade(8). In the future, output files (specified with -o) can be opened before pledge(2) is called, which will improve security further

Re: Tighter pledges for ftp(1)

2020-05-03 Thread Demi M. Obenour
On 2020-05-03 12:18, Theo de Raadt wrote: > Thanks Stuart. > > > The lesson is clear. No pledge/unveil work unless you test *ALL PROGRAM > BEHAVIOURS*. Doing less than the full testing is ... uhm, egotistical. Sorry about that. Hopefully my next version will fix it. > And it is completely norm

Re: Tighter pledges for ftp(1)

2020-05-03 Thread Demi M. Obenour
On 2020-05-03 12:13, Stuart Henderson wrote: > On 2020/05/02 20:19, Demi M. Obenour wrote: >> The following patch tightens the pledges for ftp(1). >> >> This guarantees that ftp(1) cannot spawn child processes when operating >> in batch mode, which is a significant security win. > > It breaks inte

Re: Tighter pledges for ftp(1)

2020-05-03 Thread Theo de Raadt
Thanks Stuart. The lesson is clear. No pledge/unveil work unless you test *ALL PROGRAM BEHAVIOURS*. Doing less than the full testing is ... uhm, egotistical. And it is completely normal that as the pledges and unveils harden, the amount of test cases to discover exceeds expectation. Stuart He

Re: Tighter pledges for ftp(1)

2020-05-03 Thread Stuart Henderson
On 2020/05/02 20:19, Demi M. Obenour wrote: > The following patch tightens the pledges for ftp(1). > > This guarantees that ftp(1) cannot spawn child processes when operating > in batch mode, which is a significant security win. It breaks interactive mode (!ls, more somefile, get somefile "|rot13

Tighter pledges for ftp(1)

2020-05-02 Thread Demi M. Obenour
The following patch tightens the pledges for ftp(1). This guarantees that ftp(1) cannot spawn child processes when operating in batch mode, which is a significant security win. Index: usr.bin/ftp/main.c === RCS file: /cvs/src/usr.bin

Re: Tighter pledges for ftp(1)

2020-05-02 Thread Demi M. Obenour
On 2020-05-02 17:04, Hiltjo Posthuma wrote: > On Sat, May 02, 2020 at 04:48:38PM -0400, Qubes privileged user wrote: >> The following patch tightens the pledges for ftp(1). >> >> This provides some additional guarantees, including that ftp(1) cannot >> spawn child processes. This is a significant

Tighter pledges for ftp(1)

2020-05-02 Thread Qubes privileged user
The following patch tightens the pledges for ftp(1). This provides some additional guarantees, including that ftp(1) cannot spawn child processes. This is a significant security win for sysupgrade(8). I hope I did not mess up the diff - this is my first time submitting one. Index: usr.bin/ftp/m