On 10/10/15 02:10, Theo de Raadt wrote:
CVSROOT: /cvs
Module name: src
Changes by: dera...@cvs.openbsd.org 2015/10/09 18:10:08
Modified files:
bin/ksh : Makefile c_sh.c main.c
distrib/special/ksh: Makefile
Log message:
ksh can run with pledge "stdio rpath wpath cpath getpw fattr proc exec tty"
if the mknod builtin is disabled. It looks like a lot of abilities, but
hey, this is a shell. can't open sockets or do other nasty stuff though.
(we'll leave the mknod builtin enabled on the install media for now; there
is work happening to regain the MAKEDEV performance in a different way)
discussions with otto & millert in particular
Hello tech@,
First of all thank you Theo and all the other OpenBSD developers for
bringing tame^Wpledge into our lives. I think it's a great system for
adding security to applications.
I am however curious to this patch. By pledging ksh with exec it appears
to me that once a pledged process is execve(2)d it looses it's already
made pledges. (how else could applications spawned from the shell and
still get their network interaction going?) This to me seems like
something that might be undesirable (find remote code execution->insert
exec of application->do some evil network activity)
Is above observation correct or am I missing something?
Another option that would seem interesting to me is to be able to pledge
new applications before they get executed. This would for instance allow
to revoke proc/exec in doas(1) before it execs the final application
itself. This would allow for something similar to the NOEXEC function
from sudo. Since my vias[1] patch was dismissed and some don't seem to
mind to run their editor (with shell capabilities) as another user it
would seem only fitting to me that doas(1) would be able to revoke
executing privileges from the editor before it is fired up, so not to be
able to do whatever we please as the user running the editor.
Is something like this in the pipeline?
Let the record show that this mail is written out of ignorance and
merely intended to get myself educated on the subject and to poke the
bear to see it's (future) capabilities. Not to criticise, or to get
mauled by said bear.
Sincerely,
Martijn van Duren
[1] a new version against the latest doas is up at
http://imperialat.at/vias.diff for the potential few actually using it.