Bryan Steele wrote: > OpenBSD's file(1) implementation was written by nicm@, first introduced > in 5.8, the inital design included a privileged parent process which > forked an unprivileged child which would handle potentially unsafe > file parsing. > > It also had 'sandboxing' using systrace(4), which required complex > parent/child monitoring (SIGSTOP/START) to attach a policy to the > child process. > > The goal was to make running file(1) safter, as it is often blindly > run as root by users and build scripts alike. > > Today, file(1) uses pledge(2) in the unprivileged child, and the > parent handles the initial opening and passing of fds using imsg, but > otherwise it just wait(4)'s until the process exits. > > The diff below attempts to simplify the design, removing the > parent/child abstractions entirely and dropping privs in the parent > after opening the magic(5) patterns and input. > > This was brought up during awolk@'s #openbsd-daily readthrough. > > Make sense, or unnecessary churn? :-)
No, this makes a lot of sense to me. pledge is supposed to make this stuff easier. i didn't read the whole diff, but i believe the idea is sound.
