I’ll get to looking at ftp(1) more when I get some physical contact with my
server. I’m quaranteaming with my girlfriend’s folks.
I have a pkg_ping program (OpenBSD-specific, dns caching, latency-timed,
architecture and version specific mirror search; which doesn’t download
from OpenBSD.org/ftp.html anymore) that calls ftp to look up a random
mirror’s ftplist. and it seems unreasonable that with the availability of
unveil, that ftp is hardly secured at all outside of a program that must be
root and then change to an unprivileged user to have much of any real file
system safety. The fact that ftp even has an interactive mode suggests to
me that perhaps people do use, or at least, have used it as a normal user,
seeing that if you put yourself in a chroot and try to run it, it will in
most cases preclude your access to ftp(1) at all.
I mentioned initially:
It could take 3 lines at line 389 in /usr/src/usr.bin/ftp/main.c:
if (strcmp(outfile, "-"))
if (unveil(outfile, "cw") == -1)
err(1, "unveil");
but it could look at several of the options like the cookie and certificate
paths and such.
I’d love to make it as safe to run as root as it is running it as an
unprivileged chrooted user! And I love C!
The reason I mentioned: “unveil(“/“, “rx”)“ is because if you unveiled
anything like the “cw” privileges example, you’d obviously have to ensure
that the read and exec privileges, perhaps even global ones are granted too.
On Fri, May 29, 2020 at 8:50 AM Stuart Henderson <s...@spacehopper.org>
wrote:
> On 2020/05/29 08:30, Luke Small wrote:
> > You mention a lot of files that need to be read, but a program like
> pkg_add can make it the
> > _pkgfetch (57) user which has no directory and I’m guessing not in
> interactive mode. At the
> > very least, in noninteractive mode you could unveil(“/“, “rx”); and
> change the specified output
> > file discover the name of the file that is to be downloaded and unveil
> it as “cw” !
> > --
> > -Luke
>
> What problem are you trying to solve?
>
> If you are concerned about writes, use "ftp -o - $URL > somefile", it will
> run without cpath/wpath, which is functionally similar to unveil("/", "rx")
> (a bit stronger, because a program trying to write will be killed, rather
> than just having a file access error).
>
> pkg_add(1) already uses "ftp -o -":
>
> # ktrace -di pkg_add -u moo
> quirks-3.339 signed on 2020-05-27T20:05:28Z
>
> # kdump | grep promise=
> 61644 ftp STRU promise="stdio rpath dns tty inet proc exec fattr"
> 41938 signify STRU promise="stdio rpath wpath cpath tty"
> 41938 signify STRU promise="stdio rpath"
> 24897 ftp STRU promise="stdio rpath dns tty inet proc exec fattr"
> 54324 signify STRU promise="stdio rpath wpath cpath tty"
> 54324 signify STRU promise="stdio rpath"
> 9188 ftp STRU promise="stdio rpath dns tty inet proc exec fattr"
>
> --
-Luke
