OpenBSD: pledge(2) some network-facing checks #2225
Conversation
|
Love it. I had a workshop about that recently and it sounds good :-) |
|
I would update this PR later to add one or two lines to the initial |
|
that would definitely be nice :-) |
4bfcfce to
bad7ec6
Compare
|
Rebased the PR branch and added a short explanation about the chosen promises - next to the omnipresent |
OpenBSD's pledge(2) system call allows the current process to self-restrict itself, being reduced to promised pledges. For example, unless a process says it wants to write to files, it is not allowed to do so any longer. This change starts by calling pledge(2) in some network-facing checks, removing the more dangerous privileges, such as executing other files. My initial motivation came from check_icmp, being installed as a setuid binary and (temporarily) running with root privileges. There, the pledge(2) calls result in check_icmp to only being allowed to interact with the network and to setuid(2) to the calling user later on. Afterwards, I went through my most commonly used monitoring plugins directly interacting with the network. Thus, I continued with pledge(2)-ing check_curl - having a huge codebase and all -, check_ntp_time, check_smtp, check_ssh, and check_tcp. For most of those, the changes were quite similar: start with network-friendly promises, parse the configuration, give up file access, and proceed with the actual check.
bad7ec6 to
aa6af31
Compare
|
btw I've added the patches from this PR to the OpenBSD -current packages, have seen no problems myself and had no reports of problems. |
|
Yes, feel free to merge. I am using this patch since creating the PR and have not experienced any issues. Of course, these plugins have many switches and I cannot guarantee that nothing will break. As @sthen wrote, they are already shipped in of OpenBSD's current and I also don't know of any complains. |
OpenBSD's
pledge(2)system call allows the current process to self-restrict itself, being reduced to promised pledges. For example, unless a process says it wants to write to files, it is not allowed to do so any longer.This change starts by calling
pledge(2)in some network-facing checks, removing the more dangerous privileges, such as executing other files.My initial motivation came from
check_icmp, being installed as a setuid binary and (temporarily) running with root privileges. There, thepledge(2)calls result incheck_icmpto only being allowed to interact with the network and tosetuid(2)to the calling user later on.Afterwards, I went through my most commonly used monitoring plugins directly interacting with the network. Thus, I continued with
pledge(2)-ingcheck_curl- having a huge codebase and all -,check_ntp_time,check_smtp,check_ssh, andcheck_tcp.For most of those, the changes were quite similar: start with network-friendly promises, parse the configuration, give up file access, and proceed with the actual check.
While this change might only address a niche, I would argue it might help a lot by only a few lines in case of disaster. But I am open for other opinions.