Re: perl privilege drop
On Thu, Jul 25, 2019 at 09:35:44AM -0600, Theo de Raadt wrote: > Andrew Hewus Fresh wrote: > > https://perldoc.perl.org/5.30.0/functions/chroot.html > > > NOTE: It is good security practice to do chdir("/") > > > (chdir to the root directory) immediately after a chroot. > > > > The phrasing "good security practice" is quite dissapointing, when it > is MANDATORY. Much like saying it is not good practice to wipe your bum. I filed a ticket with some possibly improved wording, lightly based on what's below. https://rt.perl.org/Public/Bug/Display.html?id=134314 > It is mandatory because otherwise a program-user can arrange for cwd > to be outside the jail, and utilize that fact to pivot, and in some > program path utilizations the chroot then becomes not just pointless.. > it is worse than normal, because it creates a dual-namespace view of > the filesystem, that is a condition that program and libraries are not > prepared to operate in. l8rZ, -- andrew - http://afresh1.com What are the unsurpassable real world weaknesses in OpenBSD, that you know of? -- Kevin Chadwick Lots of fake people attacking the project on the mailing lists makes them a poor resource for users. -- Theo de Raadt
Re: perl privilege drop
Andrew Hewus Fresh wrote: > On Thu, Jul 25, 2019 at 07:16:27AM -0500, Edgar Pettijohn wrote: > > > > On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh wrote: > > > > > > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote: > > > > Is there a standard OpenBSD approved method for dropping privileges in > > > > a perl server? Currently looking into Privileges::Drop, but since it > > > > isn't in base makes me curious if there is a better way. > > > > > > > > > It's relatively easy to do it yourself like I did in this Plack example. > > > > > > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59 > > > > > > use POSIX qw( setuid setgid ); > > > chroot $root || die "Couldn't chroot to $root: $!"; > > > setgid($gid) || die "Couldn't setgid $group [$gid]: $!"; > > > setuid($uid) || die "Couldn't setuid $user [$uid]: $!"; > > > > > > > That's too easy. I was expecting it to be more difficult. > > It was pointed out to me that I missed the chdir after the chroot that > is required to not have a possible leak. > > chroot $root || die "Couldn't chroot to $root: $!"; > chdir '/'|| die "Couldn't chdir to '/': $!"; > > > https://perldoc.perl.org/5.30.0/functions/chroot.html > > NOTE: It is good security practice to do chdir("/") > > (chdir to the root directory) immediately after a chroot. > > Sorry about that! The phrasing "good security practice" is quite dissapointing, when it is MANDATORY. Much like saying it is not good practice to wipe your bum. It is mandatory because otherwise a program-user can arrange for cwd to be outside the jail, and utilize that fact to pivot, and in some program path utilizations the chroot then becomes not just pointless.. it is worse than normal, because it creates a dual-namespace view of the filesystem, that is a condition that program and libraries are not prepared to operate in.
Re: perl privilege drop
On Thu, Jul 25, 2019 at 07:16:27AM -0500, Edgar Pettijohn wrote: > > On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh wrote: > > > > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote: > > > Is there a standard OpenBSD approved method for dropping privileges in > > > a perl server? Currently looking into Privileges::Drop, but since it > > > isn't in base makes me curious if there is a better way. > > > > > > It's relatively easy to do it yourself like I did in this Plack example. > > > > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59 > > > > use POSIX qw( setuid setgid ); > > chroot $root || die "Couldn't chroot to $root: $!"; > > setgid($gid) || die "Couldn't setgid $group [$gid]: $!"; > > setuid($uid) || die "Couldn't setuid $user [$uid]: $!"; > > > > That's too easy. I was expecting it to be more difficult. It was pointed out to me that I missed the chdir after the chroot that is required to not have a possible leak. chroot $root || die "Couldn't chroot to $root: $!"; chdir '/'|| die "Couldn't chdir to '/': $!"; https://perldoc.perl.org/5.30.0/functions/chroot.html > NOTE: It is good security practice to do chdir("/") > (chdir to the root directory) immediately after a chroot. Sorry about that! > > Thanks, > > Edgar > > I don't know exactly what you're looking for though, so maybe > > OpenBSD::Pledge(3p) or OpenBSD::Unveil(3p) are more what you want? > > > > http://man.openbsd.org/OpenBSD::Pledge > > http://man.openbsd.org/OpenBSD::Unveil > > > > > > l8rZ, > > -- > > andrew - http://afresh1.com > > > > ($do || !$do) && undef($try) ; # Master of Perl, Yoda is. H? > > -- andrew - http://afresh1.com Whatever happened to the days when hacking started at the cerebral cortex and not the keyboard? -- Sid from UserFriendly.org
Re: perl privilege drop
On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh wrote: > > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote: > > Is there a standard OpenBSD approved method for dropping privileges in > > a perl server? Currently looking into Privileges::Drop, but since it > > isn't in base makes me curious if there is a better way. > > > It's relatively easy to do it yourself like I did in this Plack example. > > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59 > > use POSIX qw( setuid setgid ); > chroot $root || die "Couldn't chroot to $root: $!"; > setgid($gid) || die "Couldn't setgid $group [$gid]: $!"; > setuid($uid) || die "Couldn't setuid $user [$uid]: $!"; > That's too easy. I was expecting it to be more difficult. Thanks, Edgar > I don't know exactly what you're looking for though, so maybe > OpenBSD::Pledge(3p) or OpenBSD::Unveil(3p) are more what you want? > > http://man.openbsd.org/OpenBSD::Pledge > http://man.openbsd.org/OpenBSD::Unveil > > > l8rZ, > -- > andrew - http://afresh1.com > > ($do || !$do) && undef($try) ; # Master of Perl, Yoda is. H? >
Re: perl privilege drop
On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote: > Is there a standard OpenBSD approved method for dropping privileges in > a perl server? Currently looking into Privileges::Drop, but since it > isn't in base makes me curious if there is a better way. It's relatively easy to do it yourself like I did in this Plack example. https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59 use POSIX qw( setuid setgid ); chroot $root || die "Couldn't chroot to $root: $!"; setgid($gid) || die "Couldn't setgid $group [$gid]: $!"; setuid($uid) || die "Couldn't setuid $user [$uid]: $!"; I don't know exactly what you're looking for though, so maybe OpenBSD::Pledge(3p) or OpenBSD::Unveil(3p) are more what you want? http://man.openbsd.org/OpenBSD::Pledge http://man.openbsd.org/OpenBSD::Unveil l8rZ, -- andrew - http://afresh1.com ($do || !$do) && undef($try) ; # Master of Perl, Yoda is. H?
perl privilege drop
Is there a standard OpenBSD approved method for dropping privileges in a perl server? Currently looking into Privileges::Drop, but since it isn't in base makes me curious if there is a better way. Thanks, Edgar