June 15, 2021 2:51 PM, "Theo de Raadt" <dera...@openbsd.org> wrote:
> "attacker"?
Isn't the purpose of pledge() and unveil() to prevent a person with
a code execution bug from damaging the system?
> Seems to be working as intended. You are letting someone run all binaries.
And I am not letting someone write to the filesystem. Yet, they can
bypass that easily. `unveil("/", "rx")` gives a false illusion of
security, which can even trip up OpenBSD maintainers (more below).
> Or is it your expectation is that all binaries should crash when they
> cannot start ld.so or load libc?
"/" is mounted for reads, why would a program crash while loading
libc? You don't need write access to execute a program.
> I'd say the problem is whoever wrote this code unrealistic 2-liner code
> example, oh wait, that is you.
(and)
> The expected uses of unveil and pledge aren't some weird fiction
> of "oh look I can use them wrong".
https://github.com/openbsd/src/commit/15e2c6823410e554b348cd3fb137566da656e866
Also to be clear - I'm not throwing blame to the author of the commit
here, it's not their fault. This behaviour isn't documented, so unless
you have seen the exec() source, you wouldn't know about it.
June 15, 2021 2:13 PM, "Claudio Jeker" <cje...@diehard.n-r-g.com> wrote:
> Why did you add "rx" for a read-only program?
Why can't a read-only program execute other programs? I can think of a lot
of usecases where that's useful.
> Initially the goal was to keep unveils on exec but it turned out that it
> is not feasable.
Out of curiosity, have there been any discussion on this? I tried
looking around on the mailing list archives, but I haven't found
anything regarding this.
> Maybe we can now document the exec behaviour since we
> will probably not change it again.
That'd be great, thanks!
