June 15, 2021 2:51 PM, "Theo de Raadt" <dera...@openbsd.org> wrote: > "attacker"? Isn't the purpose of pledge() and unveil() to prevent a person with a code execution bug from damaging the system?
> Seems to be working as intended. You are letting someone run all binaries. And I am not letting someone write to the filesystem. Yet, they can bypass that easily. `unveil("/", "rx")` gives a false illusion of security, which can even trip up OpenBSD maintainers (more below). > Or is it your expectation is that all binaries should crash when they > cannot start ld.so or load libc? "/" is mounted for reads, why would a program crash while loading libc? You don't need write access to execute a program. > I'd say the problem is whoever wrote this code unrealistic 2-liner code > example, oh wait, that is you. (and) > The expected uses of unveil and pledge aren't some weird fiction > of "oh look I can use them wrong". https://github.com/openbsd/src/commit/15e2c6823410e554b348cd3fb137566da656e866 Also to be clear - I'm not throwing blame to the author of the commit here, it's not their fault. This behaviour isn't documented, so unless you have seen the exec() source, you wouldn't know about it. June 15, 2021 2:13 PM, "Claudio Jeker" <cje...@diehard.n-r-g.com> wrote: > Why did you add "rx" for a read-only program? Why can't a read-only program execute other programs? I can think of a lot of usecases where that's useful. > Initially the goal was to keep unveils on exec but it turned out that it > is not feasable. Out of curiosity, have there been any discussion on this? I tried looking around on the mailing list archives, but I haven't found anything regarding this. > Maybe we can now document the exec behaviour since we > will probably not change it again. That'd be great, thanks!