I missed something. -Luke
On Sat, May 30, 2020 at 2:53 PM Luke Small <lukensm...@gmail.com> wrote:
> I’ll get to looking at ftp(1) more when I get some physical contact with
> my server. I’m quaranteaming with my girlfriend’s folks.
>
> I have a pkg_ping program (OpenBSD-specific, dns caching, latency-timed,
> architecture and version specific mirror search; which doesn’t download
> from OpenBSD.org/ftp.html anymore) that calls ftp to look up a random
> mirror’s ftplist. and it seems unreasonable that with the availability of
> unveil, that ftp is hardly secured at all outside of a program that must be
> root and then change to an unprivileged user to have much of any real file
> system safety. The fact that ftp even has an interactive mode suggests to
> me that perhaps people do use, or at least, have used it as a normal user,
> seeing that if you put yourself in a chroot and try to run it, it will in
> most cases preclude your access to ftp(1) at all.
>
> I mentioned initially:
>
> It could take 3 lines at line 389 in /usr/src/usr.bin/ftp/main.c:
> if (strcmp(outfile, "-"))
> if (unveil(outfile, "cw") == -1)
> err(1, "unveil");
>
> but it could look at several of the options like the cookie and
> certificate paths and such.
>
> I’d love to make it as safe to run as root as it is running it as an
> unprivileged chrooted user! And I love C!
>
> The reason I mentioned: “unveil(“/“, “rx”)“ is because if you unveiled
> anything like the “cw” privileges example, you’d obviously have to ensure
> that the read and exec privileges, perhaps even global ones are granted too.
>
> On Fri, May 29, 2020 at 8:50 AM Stuart Henderson <s...@spacehopper.org>
> wrote:
>
>> On 2020/05/29 08:30, Luke Small wrote:
>> > You mention a lot of files that need to be read, but a program like
>> pkg_add can make it the
>> > _pkgfetch (57) user which has no directory and I’m guessing not in
>> interactive mode. At the
>> > very least, in noninteractive mode you could unveil(“/“, “rx”); and
>> change the specified output
>> > file discover the name of the file that is to be downloaded and unveil
>> it as “cw” !
>> > --
>> > -Luke
>>
>> What problem are you trying to solve?
>>
>> If you are concerned about writes, use "ftp -o - $URL > somefile", it will
>> run without cpath/wpath, which is functionally similar to unveil("/",
>> "rx")
>> (a bit stronger, because a program trying to write will be killed, rather
>> than just having a file access error).
>>
>> pkg_add(1) already uses "ftp -o -":
>>
>> # ktrace -di pkg_add -u moo
>> quirks-3.339 signed on 2020-05-27T20:05:28Z
>>
>> # kdump | grep promise=
>> 61644 ftp STRU promise="stdio rpath dns tty inet proc exec fattr"
>> 41938 signify STRU promise="stdio rpath wpath cpath tty"
>> 41938 signify STRU promise="stdio rpath"
>> 24897 ftp STRU promise="stdio rpath dns tty inet proc exec fattr"
>> 54324 signify STRU promise="stdio rpath wpath cpath tty"
>> 54324 signify STRU promise="stdio rpath"
>> 9188 ftp STRU promise="stdio rpath dns tty inet proc exec fattr"
>>
>> --
> -Luke
>
diff
Description: Binary data
