On Fri, Jan 31, 2020, at 09:29, Janne Johansson wrote: > Den tors 30 jan. 2020 kl 21:08 skrev Patrick Kristiansen > <patr...@tamstrup.dk>: > > > Properly starting up a daemon process requires several steps, > > > often involving unveil(2), pledge(2), chroot(2), prviledge > > > dropping, sometimes fork+exec for privilege separation, and so on > > > > The process I need to run is written in Clojure and thus runs on the > > Java Virtual Machine. Do you have any suggestions on how to best go > > about making it "daemon-like"? I am not sure that I can call unveil(2), > > pledge(2) and chroot(2) from Clojure without some strange sorcery. > > So not related to only Clojure but rather on runtimes that are large > and unwieldy, this seems to be exactly why plegde() and unveil() came > into being in the first place, after seeing things that needs to do > certain privileged operations at some early point, but because of > design/runtime/hard-to-pledge or whatever has to run with the sum of > all privileges, all capabilities at all times and at the same time > being exposed to potential hostile data.
Yes. I completely understand the motivation behind pledge, unveil and similar constructs. I also understand that it sort of runs counter to using one of the world's most secure-by-default operating systems if you then run an insecure monstrosity on top of it. I was just starting to like the OpenBSD experience as a user and sysadmin. :-) But I also think that it is unrealistic to expect applications to be written to the same standard as OpenBSD, given the resources needed for that. Many startups would never get off the ground if that were the case. > I can fully see why Ingo would say "I would not run things like that > exposed", partly because I figure he actually has a choice to not do > it, but regardless of what electric fences you like (Selinux, > capsicum, pledge/unveil, chroots) if you create a huge monolith > running in an environment which actively prevents you from activating > any kinds of protections, then I can see how you would see some > friction. I would like to get more information about doing application programming for an OS like OpenBSD. I understand that if you program your applications in C, you have readily available pledge/unveil, etc. But many applications are written in higher-level languages, and in my case at least, it seems to be nearly impossible to write a secure application without changing to C or some other language that can easily use OpenBSD's system calls. And for a mediocre programmer, or just an inexperienced one, it exposes you to a whole host of other problems that can lead to worse security and quality. The solution is probably just to be a good programmer. ;-)
