net/igmpproxy - chroot and drop privileges

Bjorn Ketelaars Fri, 02 Jul 2021 13:50:54 -0700

Enclosed is a diff for net/igmpproxy, which puts igmpproxy in an
unprivileged chroot after startup. I'm currently discussing a more
extensive diff with upstream.


We normally do not add features to our ports, but I was wondering if
this addition makes sense to commit as it increases security a bit.

Run tested on amd64 in combination with an iptv setup.

While here add daemon_flags="${SYSCONFDIR}/igmpproxy.conf" to
igmpproxy.rc as igmpproxy will complain if no configuration file is
given.

Thoughts/tests/comments/OK?


diff --git infrastructure/db/user.list infrastructure/db/user.list
index bfb3d70510e..f2eb6a60b8d 100644
--- infrastructure/db/user.list
+++ infrastructure/db/user.list
@@ -376,3 +376,4 @@ id  user            group           port
 865 _vger              _vger           net/vger
 866 _navidrome         _navidrome      audio/navidrome
 867 _notify_push                       www/nextcloud_notify_push
+868 _igmpproxy         _igmpproxy      net/igmpproxy
diff --git net/igmpproxy/Makefile net/igmpproxy/Makefile
index f87a2b4fc45..6d971d68749 100644
--- net/igmpproxy/Makefile
+++ net/igmpproxy/Makefile
@@ -3,7 +3,7 @@
 COMMENT =      multicast router utilizing IGMP forwarding
 
 VERSION =      0.3
-REVISION =     0
+REVISION =     1
 DISTNAME =     igmpproxy-${VERSION}
 CATEGORIES =   net
 MASTER_SITES = https://github.com/pali/igmpproxy/releases/download/${VERSION}/
diff --git net/igmpproxy/patches/patch-src_igmpproxy_c 
net/igmpproxy/patches/patch-src_igmpproxy_c
index 021692a14b3..a4aee9e92f0 100644
--- net/igmpproxy/patches/patch-src_igmpproxy_c
+++ net/igmpproxy/patches/patch-src_igmpproxy_c
@@ -3,7 +3,7 @@ $OpenBSD: patch-src_igmpproxy_c,v 1.1 2021/01/12 17:59:49 sthen 
Exp $
 Index: src/igmpproxy.c
 --- src/igmpproxy.c.orig
 +++ src/igmpproxy.c
-@@ -37,13 +37,10 @@
+@@ -37,13 +37,11 @@
  *   February 2005 - Johnny Egeland
  */
  
@@ -14,12 +14,23 @@ Index: src/igmpproxy.c
 -
  #include "igmpproxy.h"
  
++#include <pwd.h>
 +#include <sys/sysctl.h>
 +
  static const char Usage[] =
  "Usage: igmpproxy [-h] [-n] [-d] [-v [-v]] <configfile>\n"
  "\n"
-@@ -123,6 +120,25 @@ int main( int ArgCn, char *ArgVc[] ) {
+@@ -68,6 +66,9 @@ static int sighandled = 0;
+ #define GOT_SIGUSR1 0x04
+ #define GOT_SIGUSR2 0x08
+ 
++#define CHROOT_DIR  "/var/empty"
++#define NOPRIV_USER "_igmpproxy"
++
+ // Holds the indeces of the upstream IF...
+ int     upStreamIfIdx[MAX_UPS_VIFS];
+ 
+@@ -123,6 +124,25 @@ int main( int ArgCn, char *ArgVc[] ) {
  
      openlog("igmpproxy", LOG_PID, LOG_USER);
  
@@ -45,25 +56,42 @@ Index: src/igmpproxy.c
      // Write debug notice with file path...
      my_log(LOG_DEBUG, 0, "Searching for config file at '%s'" , 
configFilePath);
  
-@@ -142,16 +158,8 @@ int main( int ArgCn, char *ArgVc[] ) {
+@@ -140,18 +160,25 @@ int main( int ArgCn, char *ArgVc[] ) {
+             break;
+         }
  
-         if ( !NotAsDaemon ) {
+-        if ( !NotAsDaemon ) {
++        // Drop privileges
++        {
++            struct passwd *pw;
  
 -            // Only daemon goes past this line...
 -            if (fork()) exit(0);
--
++            pw = getpwnam(NOPRIV_USER);
++            if (pw == NULL)
++                my_log(LOG_ERR, 0, "unknown user %s", NOPRIV_USER);
+ 
 -            // Detach daemon from terminal
 -            if ( close( 0 ) < 0 || close( 1 ) < 0 || close( 2 ) < 0
 -                || open( "/dev/null", 0 ) != 0 || dup2( 0, 1 ) < 0 || dup2( 
0, 2 ) < 0
 -                || setpgid( 0, 0 ) < 0
 -            ) {
++            if (chroot(CHROOT_DIR) != 0 || chdir("/") != 0 ||
++              setgroups(1, &pw->pw_gid) != 0 ||
++              setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0 ||
++              setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
++                my_log(LOG_ERR, 0, "cannot drop privileges");
++        }
++
++        if ( !NotAsDaemon ) {
++
 +            if ( daemon(1, 0 ) < 0 )
                  my_log( LOG_ERR, errno, "failed to detach daemon" );
 -            }
          }
  
          // Go to the main loop.
-@@ -207,6 +215,8 @@ int igmpProxyInit(void) {
+@@ -207,6 +234,8 @@ int igmpProxyInit(void) {
          }
  
          for ( Ix = 0; (Dp = getIfByIx(Ix)); Ix++ ) {
diff --git net/igmpproxy/pkg/PLIST net/igmpproxy/pkg/PLIST
index 1cbe5a08909..32ebfcdd078 100644
--- net/igmpproxy/pkg/PLIST
+++ net/igmpproxy/pkg/PLIST
@@ -1,4 +1,6 @@
 @comment $OpenBSD: PLIST,v 1.5 2021/01/12 17:59:50 sthen Exp $
+@newgroup _igmpproxy:868
+@newuser _igmpproxy:868:868:daemon:IGMP multicast routing 
daemon:/var/empty:/sbin/nologin
 @rcscript ${RCDIR}/igmpproxy
 @man man/man5/igmpproxy.conf.5
 @man man/man8/igmpproxy.8
diff --git net/igmpproxy/pkg/igmpproxy.rc net/igmpproxy/pkg/igmpproxy.rc
index f4366b88351..3718a74d8a2 100644
--- net/igmpproxy/pkg/igmpproxy.rc
+++ net/igmpproxy/pkg/igmpproxy.rc
@@ -3,6 +3,7 @@
 # $OpenBSD: igmpproxy.rc,v 1.2 2018/01/11 19:27:05 rpe Exp $
 
 daemon="${TRUEPREFIX}/sbin/igmpproxy"
+daemon_flags="${SYSCONFDIR}/igmpproxy.conf"
 
 . /etc/rc.d/rc.subr

net/igmpproxy - chroot and drop privileges

Reply via email to