subject:"pledge net\/ngircd"

Re: pledge net/ngircd

2020-02-21 Thread Michael

On Fri, Feb 14, 2020 at 06:31:50PM +0100, Solene Rapenne wrote:
> [...]
> I'm ok with the last patch, it's harmless (no special configuration
> required) and will improve security.
> 
> I CC maintainer, it's up to tsg now
> 

Ping?

While we are there, mentioned pledge() in the Makefile, new patch below:


Index: Makefile
===
RCS file: /cvs/ports/net/ngircd/Makefile,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 Makefile
--- Makefile12 Jul 2019 20:48:34 -  1.18
+++ Makefile21 Feb 2020 12:36:53 -
@@ -4,6 +4,8 @@ COMMENT =   lightweight irc server
 
 DISTNAME = ngircd-25
 
+REVISION = 0
+
 CATEGORIES =   net
 
 HOMEPAGE = https://ngircd.barton.de/
@@ -13,6 +15,7 @@ MAINTAINER =  Giannis Tsaraias http://ngircd.barton.de/pub/ngircd/ \
Index: patches/patch-src_ngircd_ngircd_c
===
RCS file: /cvs/ports/net/ngircd/patches/patch-src_ngircd_ngircd_c,v
retrieving revision 1.4
diff -u -p -u -p -r1.4 patch-src_ngircd_ngircd_c
--- patches/patch-src_ngircd_ngircd_c   3 Dec 2014 10:32:18 -   1.4
+++ patches/patch-src_ngircd_ngircd_c   21 Feb 2020 12:36:53 -
@@ -1,7 +1,25 @@
 $OpenBSD: patch-src_ngircd_ngircd_c,v 1.4 2014/12/03 10:32:18 jasper Exp $
 src/ngircd/ngircd.c.orig   Mon Jul 14 13:26:07 2014
-+++ src/ngircd/ngircd.cTue Dec  2 20:05:31 2014
-@@ -563,7 +563,7 @@ Setup_FDStreams(int fd)
+Index: src/ngircd/ngircd.c
+--- src/ngircd/ngircd.c.orig
 src/ngircd/ngircd.c
+@@ -259,6 +259,16 @@ main(int argc, const char *argv[])
+   exit(1);
+   }
+ 
++  /* XXX using a PID file needs cpath to unlink() later */
++  if(Conf_PidFile[0]) {
++  if ( pledge("stdio inet dns rpath proc getpw cpath", 
NULL) == -1)
++  err(1, "pledge");
++  }
++  else {
++  if ( pledge("stdio inet dns rpath proc getpw", NULL) == 
-1)
++  err(1, "pledge");
++  }
++
+   /* Initialize modules, part II: these functions are eventually
+* called with already dropped privileges ... */
+   Channel_Init();
+@@ -563,7 +573,7 @@ Setup_FDStreams(int fd)
  #if !defined(SINGLE_USER_OS)
  
  /**
@@ -10,7 +28,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1.
   *
   * @param uid User ID
   * @param gid Group ID
-@@ -587,7 +587,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid )
+@@ -587,7 +597,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid )
}
  #endif
  
@@ -19,7 +37,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1.
if (!pwd)
return false;
  
-@@ -703,11 +703,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
+@@ -703,11 +713,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
if (Conf_UID == 0) {
pwd = getpwuid(0);
Log(LOG_INFO,
Index: patches/patch-src_ngircd_proc_c
===
RCS file: patches/patch-src_ngircd_proc_c
diff -N patches/patch-src_ngircd_proc_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-src_ngircd_proc_c 21 Feb 2020 12:36:53 -
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+Index: src/ngircd/proc.c
+--- src/ngircd/proc.c.orig
 src/ngircd/proc.c
+@@ -76,6 +76,9 @@ Proc_Fork(PROC_STAT *proc, int *pipefds, void (*cbfunc
+   return -1;
+   case 0:
+   /* New child process: */
++  /* XXX no PAM, fork only for DNS */
++  if (pledge("stdio dns", NULL) == -1)   
++  err(1, "pledge"); 
+ #ifdef HAVE_ARC4RANDOM_STIR
+   arc4random_stir();
+ #endif

Re: pledge net/ngircd

2020-02-14 Thread Solene Rapenne

On Tue, Feb 11, 2020 at 11:45:44AM +0100, Michael wrote:
> Hello Matthias,
> 
> On Mon, Feb 10, 2020 at 02:43:05PM +0100, Matthias Schmidt wrote:
> > Hi Michael,
> > 
> > On 10.02.2020 14:31, Michael wrote:
> > > On Fri, Feb 07, 2020 at 03:27:33PM +0100, Michael wrote:
> > > > Hello ports@,
> > > > 
> > > > this patch adds pledge() to net/ngircd. Tested on amd64 with ngircd
> > > > running with TLS. Unfortunately the promises can't be further reduced
> > > > since this would break /rehash (i.e. reloading the config) later. But
> > > > this is better than nothing.
> > > > 
> > > > [...]
> > > 
> > > solene@ pointed out that if the option "PidFile" is being used
> > > unlink()ing the file later fails. However I personally don't like adding
> > > another promise just for that. I can't see any sensible use case for
> > > ngircds PID file; the Option itself is not set by default.
> > > 
> > > So my idea would be to either skip or remove the PidFile code, or just
> > > ignore the issue. The abort happens after shutting everything else down
> > > and starting ngircd again works even if the old PID file is still in
> > > place. Both variants mean changing or breaking functionality but that
> > > would be bearable given the low impact IMHO. Using unveil() might also
> > > be an option.
> > > 
> > > Any thoughts on this?
> > 
> > Active ngircd user here. I personally use the PID file with my monitoring
> > system
> > for process supervision (monit in my case). Although I could use process
> > name
> > matching, getting the PID from the PIDFile seems more natural.
> > 
> > Cheers
> > 
> >   Matthias
> > 
> > PS: I would appreciate a pledged ngircd very much.
> > 
> 
> Yes, pledge() for ngircd is long overdue :) Below is an updated patch 
> that handles having PidFile configured. I am unsure if details like 
> having PidFile set enables the "cpath" promise should be documented or 
> not.
> 
> Index: Makefile
> ===
> RCS file: /cvs/ports/net/ngircd/Makefile,v
> retrieving revision 1.18
> diff -u -p -u -p -r1.18 Makefile
> --- Makefile  12 Jul 2019 20:48:34 -  1.18
> +++ Makefile  11 Feb 2020 10:24:57 -
> @@ -4,6 +4,8 @@ COMMENT = lightweight irc server
>  
>  DISTNAME =   ngircd-25
>  
> +REVISION =   0
> +
>  CATEGORIES = net
>  
>  HOMEPAGE =   https://ngircd.barton.de/
> Index: patches/patch-src_ngircd_ngircd_c
> ===
> RCS file: /cvs/ports/net/ngircd/patches/patch-src_ngircd_ngircd_c,v
> retrieving revision 1.4
> diff -u -p -u -p -r1.4 patch-src_ngircd_ngircd_c
> --- patches/patch-src_ngircd_ngircd_c 3 Dec 2014 10:32:18 -   1.4
> +++ patches/patch-src_ngircd_ngircd_c 11 Feb 2020 10:24:57 -
> @@ -1,7 +1,25 @@
>  $OpenBSD: patch-src_ngircd_ngircd_c,v 1.4 2014/12/03 10:32:18 jasper Exp $
>  src/ngircd/ngircd.c.orig Mon Jul 14 13:26:07 2014
> -+++ src/ngircd/ngircd.c  Tue Dec  2 20:05:31 2014
> -@@ -563,7 +563,7 @@ Setup_FDStreams(int fd)
> +Index: src/ngircd/ngircd.c
> +--- src/ngircd/ngircd.c.orig
>  src/ngircd/ngircd.c
> +@@ -259,6 +259,16 @@ main(int argc, const char *argv[])
> + exit(1);
> + }
> + 
> ++/* XXX using a PID file needs cpath to unlink() later */
> ++if(Conf_PidFile[0]) {
> ++if ( pledge("stdio inet dns rpath proc getpw cpath", 
> NULL) == -1)
> ++err(1, "pledge");
> ++}
> ++else {
> ++if ( pledge("stdio inet dns rpath proc getpw", NULL) == 
> -1)
> ++err(1, "pledge");
> ++}
> ++
> + /* Initialize modules, part II: these functions are eventually
> +  * called with already dropped privileges ... */
> + Channel_Init();
> +@@ -563,7 +573,7 @@ Setup_FDStreams(int fd)
>   #if !defined(SINGLE_USER_OS)
>   
>   /**
> @@ -10,7 +28,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1.
>*
>* @param uid   User ID
>* @param gid   Group ID
> -@@ -587,7 +587,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid )
> +@@ -587,7 +597,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid )
>   }
>   #endif
>   
> @@ -19,7 +37,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1.
>   if (!pwd)
>   return false;
>   
> -@@ -703,11 +703,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
> +@@ -703,11 +713,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
>   if (Conf_UID == 0) {
>   pwd = getpwuid(0);
>   Log(LOG_INFO,
> Index: patches/patch-src_ngircd_proc_c
> ===
> RCS file: patches/patch-src_ngircd_proc_c
> diff -N patches/patch-src_ngircd_proc_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_ngircd_proc_c   11 Feb 2020 10:24:57 -
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +Index: src/ngircd/proc.c
> +--- src/ngircd/proc.c.orig
>

Re: pledge net/ngircd

2020-02-11 Thread Michael

Hello Matthias,

On Mon, Feb 10, 2020 at 02:43:05PM +0100, Matthias Schmidt wrote:
> Hi Michael,
> 
> On 10.02.2020 14:31, Michael wrote:
> > On Fri, Feb 07, 2020 at 03:27:33PM +0100, Michael wrote:
> > > Hello ports@,
> > > 
> > > this patch adds pledge() to net/ngircd. Tested on amd64 with ngircd
> > > running with TLS. Unfortunately the promises can't be further reduced
> > > since this would break /rehash (i.e. reloading the config) later. But
> > > this is better than nothing.
> > > 
> > > [...]
> > 
> > solene@ pointed out that if the option "PidFile" is being used
> > unlink()ing the file later fails. However I personally don't like adding
> > another promise just for that. I can't see any sensible use case for
> > ngircds PID file; the Option itself is not set by default.
> > 
> > So my idea would be to either skip or remove the PidFile code, or just
> > ignore the issue. The abort happens after shutting everything else down
> > and starting ngircd again works even if the old PID file is still in
> > place. Both variants mean changing or breaking functionality but that
> > would be bearable given the low impact IMHO. Using unveil() might also
> > be an option.
> > 
> > Any thoughts on this?
> 
> Active ngircd user here. I personally use the PID file with my monitoring
> system
> for process supervision (monit in my case). Although I could use process
> name
> matching, getting the PID from the PIDFile seems more natural.
> 
> Cheers
> 
>   Matthias
> 
> PS: I would appreciate a pledged ngircd very much.
> 

Yes, pledge() for ngircd is long overdue :) Below is an updated patch 
that handles having PidFile configured. I am unsure if details like 
having PidFile set enables the "cpath" promise should be documented or 
not.

Index: Makefile
===
RCS file: /cvs/ports/net/ngircd/Makefile,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 Makefile
--- Makefile12 Jul 2019 20:48:34 -  1.18
+++ Makefile11 Feb 2020 10:24:57 -
@@ -4,6 +4,8 @@ COMMENT =   lightweight irc server
 
 DISTNAME = ngircd-25
 
+REVISION = 0
+
 CATEGORIES =   net
 
 HOMEPAGE = https://ngircd.barton.de/
Index: patches/patch-src_ngircd_ngircd_c
===
RCS file: /cvs/ports/net/ngircd/patches/patch-src_ngircd_ngircd_c,v
retrieving revision 1.4
diff -u -p -u -p -r1.4 patch-src_ngircd_ngircd_c
--- patches/patch-src_ngircd_ngircd_c   3 Dec 2014 10:32:18 -   1.4
+++ patches/patch-src_ngircd_ngircd_c   11 Feb 2020 10:24:57 -
@@ -1,7 +1,25 @@
 $OpenBSD: patch-src_ngircd_ngircd_c,v 1.4 2014/12/03 10:32:18 jasper Exp $
 src/ngircd/ngircd.c.orig   Mon Jul 14 13:26:07 2014
-+++ src/ngircd/ngircd.cTue Dec  2 20:05:31 2014
-@@ -563,7 +563,7 @@ Setup_FDStreams(int fd)
+Index: src/ngircd/ngircd.c
+--- src/ngircd/ngircd.c.orig
 src/ngircd/ngircd.c
+@@ -259,6 +259,16 @@ main(int argc, const char *argv[])
+   exit(1);
+   }
+ 
++  /* XXX using a PID file needs cpath to unlink() later */
++  if(Conf_PidFile[0]) {
++  if ( pledge("stdio inet dns rpath proc getpw cpath", 
NULL) == -1)
++  err(1, "pledge");
++  }
++  else {
++  if ( pledge("stdio inet dns rpath proc getpw", NULL) == 
-1)
++  err(1, "pledge");
++  }
++
+   /* Initialize modules, part II: these functions are eventually
+* called with already dropped privileges ... */
+   Channel_Init();
+@@ -563,7 +573,7 @@ Setup_FDStreams(int fd)
  #if !defined(SINGLE_USER_OS)
  
  /**
@@ -10,7 +28,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1.
   *
   * @param uid User ID
   * @param gid Group ID
-@@ -587,7 +587,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid )
+@@ -587,7 +597,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid )
}
  #endif
  
@@ -19,7 +37,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1.
if (!pwd)
return false;
  
-@@ -703,11 +703,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
+@@ -703,11 +713,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
if (Conf_UID == 0) {
pwd = getpwuid(0);
Log(LOG_INFO,
Index: patches/patch-src_ngircd_proc_c
===
RCS file: patches/patch-src_ngircd_proc_c
diff -N patches/patch-src_ngircd_proc_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-src_ngircd_proc_c 11 Feb 2020 10:24:57 -
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+Index: src/ngircd/proc.c
+--- src/ngircd/proc.c.orig
 src/ngircd/proc.c
+@@ -76,6 +76,9 @@ Proc_Fork(PROC_STAT *proc, int *pipefds, void (*cbfunc
+   return -1;
+   case 0:
+   /* New child process: */
++  /* XXX no PAM, fork only for DNS */
++  if (pledge("stdio dns",

Re: pledge net/ngircd

2020-02-10 Thread Matthias Schmidt


Hi Michael,

On 10.02.2020 14:31, Michael wrote:

On Fri, Feb 07, 2020 at 03:27:33PM +0100, Michael wrote:

Hello ports@,

this patch adds pledge() to net/ngircd. Tested on amd64 with ngircd
running with TLS. Unfortunately the promises can't be further reduced
since this would break /rehash (i.e. reloading the config) later. But
this is better than nothing.

[...]


solene@ pointed out that if the option "PidFile" is being used
unlink()ing the file later fails. However I personally don't like 
adding

another promise just for that. I can't see any sensible use case for
ngircds PID file; the Option itself is not set by default.

So my idea would be to either skip or remove the PidFile code, or just
ignore the issue. The abort happens after shutting everything else down
and starting ngircd again works even if the old PID file is still in
place. Both variants mean changing or breaking functionality but that
would be bearable given the low impact IMHO. Using unveil() might also
be an option.

Any thoughts on this?


Active ngircd user here. I personally use the PID file with my 
monitoring system
for process supervision (monit in my case). Although I could use process 
name

matching, getting the PID from the PIDFile seems more natural.

Cheers

  Matthias

PS: I would appreciate a pledged ngircd very much.

Re: pledge net/ngircd

2020-02-10 Thread Michael

On Fri, Feb 07, 2020 at 03:27:33PM +0100, Michael wrote:
> Hello ports@,
> 
> this patch adds pledge() to net/ngircd. Tested on amd64 with ngircd 
> running with TLS. Unfortunately the promises can't be further reduced 
> since this would break /rehash (i.e. reloading the config) later. But 
> this is better than nothing.
> 
> [...] 

solene@ pointed out that if the option "PidFile" is being used 
unlink()ing the file later fails. However I personally don't like adding 
another promise just for that. I can't see any sensible use case for 
ngircds PID file; the Option itself is not set by default.

So my idea would be to either skip or remove the PidFile code, or just 
ignore the issue. The abort happens after shutting everything else down 
and starting ngircd again works even if the old PID file is still in 
place. Both variants mean changing or breaking functionality but that 
would be bearable given the low impact IMHO. Using unveil() might also 
be an option.

Any thoughts on this?

pledge net/ngircd

2020-02-07 Thread Michael

Hello ports@,

this patch adds pledge() to net/ngircd. Tested on amd64 with ngircd 
running with TLS. Unfortunately the promises can't be further reduced 
since this would break /rehash (i.e. reloading the config) later. But 
this is better than nothing.


Index: Makefile
===
RCS file: /cvs/ports/net/ngircd/Makefile,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 Makefile
--- Makefile12 Jul 2019 20:48:34 -  1.18
+++ Makefile7 Feb 2020 14:15:32 -
@@ -4,6 +4,8 @@ COMMENT =   lightweight irc server
 
 DISTNAME = ngircd-25
 
+REVISION = 0
+
 CATEGORIES =   net
 
 HOMEPAGE = https://ngircd.barton.de/
Index: patches/patch-src_ngircd_ngircd_c
===
RCS file: /cvs/ports/net/ngircd/patches/patch-src_ngircd_ngircd_c,v
retrieving revision 1.4
diff -u -p -u -p -r1.4 patch-src_ngircd_ngircd_c
--- patches/patch-src_ngircd_ngircd_c   3 Dec 2014 10:32:18 -   1.4
+++ patches/patch-src_ngircd_ngircd_c   7 Feb 2020 14:15:32 -
@@ -1,7 +1,18 @@
 $OpenBSD: patch-src_ngircd_ngircd_c,v 1.4 2014/12/03 10:32:18 jasper Exp $
 src/ngircd/ngircd.c.orig   Mon Jul 14 13:26:07 2014
-+++ src/ngircd/ngircd.cTue Dec  2 20:05:31 2014
-@@ -563,7 +563,7 @@ Setup_FDStreams(int fd)
+Index: src/ngircd/ngircd.c
+--- src/ngircd/ngircd.c.orig
 src/ngircd/ngircd.c
+@@ -259,6 +259,9 @@ main(int argc, const char *argv[])
+   exit(1);
+   }
+ 
++  if ( pledge("stdio inet dns rpath proc getpw", NULL) == -1)
++  err(1, "pledge");
++
+   /* Initialize modules, part II: these functions are eventually
+* called with already dropped privileges ... */
+   Channel_Init();
+@@ -563,7 +566,7 @@ Setup_FDStreams(int fd)
  #if !defined(SINGLE_USER_OS)
  
  /**
@@ -10,7 +21,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1.
   *
   * @param uid User ID
   * @param gid Group ID
-@@ -587,7 +587,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid )
+@@ -587,7 +590,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid )
}
  #endif
  
@@ -19,7 +30,7 @@ $OpenBSD: patch-src_ngircd_ngircd_c,v 1.
if (!pwd)
return false;
  
-@@ -703,11 +703,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
+@@ -703,11 +706,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon)
if (Conf_UID == 0) {
pwd = getpwuid(0);
Log(LOG_INFO,
Index: patches/patch-src_ngircd_proc_c
===
RCS file: patches/patch-src_ngircd_proc_c
diff -N patches/patch-src_ngircd_proc_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-src_ngircd_proc_c 7 Feb 2020 14:15:32 -
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+Index: src/ngircd/proc.c
+--- src/ngircd/proc.c.orig
 src/ngircd/proc.c
+@@ -76,6 +76,9 @@ Proc_Fork(PROC_STAT *proc, int *pipefds, void (*cbfunc
+   return -1;
+   case 0:
+   /* New child process: */
++  /* XXX no PAM, fork only for DNS */
++  if (pledge("stdio dns", NULL) == -1)   
++  err(1, "pledge"); 
+ #ifdef HAVE_ARC4RANDOM_STIR
+   arc4random_stir();
+ #endif

Re: pledge net/ngircd

Re: pledge net/ngircd

Re: pledge net/ngircd

Re: pledge net/ngircd

Re: pledge net/ngircd

pledge net/ngircd

6 matches

Site Navigation

Mail list logo

Footer information