On Mon, Jan 16, 2023 at 08:57:25AM -0700, Theo de Raadt wrote:
> I propose to relink sshd on every boot, before it gets started.
>
> This is like kernel, libc.so, libcrypto, and ld.so relinking.
>
> The sshd design self-protects itself quite well, but this kind of
> address space secrecy is still a good addition.
>
> Since the sshd binary becomes unique on every openbsd machine, we
> can also block a logged in user from inspecting it, and then using
> that information as part of a remote attack, so mode 511.
>
> I am surprised how this turned out. This could easily be done with
> a few other important daemons or tools.
Indeed seems easy, here is the bits for ntpd (patch on top of yours)
Index: etc/rc
===================================================================
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.568
diff -u -p -r1.568 rc
--- etc/rc 28 Dec 2022 09:53:33 -0000 1.568
+++ etc/rc 16 Jan 2023 16:53:15 -0000
@@ -237,7 +237,7 @@
) || { _error=true; break; }
done
- for _bin in $_relink/usr/sbin/sshd ; do
+ for _bin in $_relink/usr/sbin/{ntpd,sshd} ; do
_tmpdir=$(mktemp -dq $_relink/_rebuild.XXXXXXXXXXXX) &&
(
set -o errexit
Index: usr.sbin/ntpd/Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/Makefile,v
retrieving revision 1.16
diff -u -p -r1.16 Makefile
--- usr.sbin/ntpd/Makefile 20 Nov 2015 18:53:42 -0000 1.16
+++ usr.sbin/ntpd/Makefile 16 Jan 2023 16:53:15 -0000
@@ -1,6 +1,7 @@
# $OpenBSD: Makefile,v 1.16 2015/11/20 18:53:42 tedu Exp $
PROG= ntpd
+BINMODE=511
SRCS= ntpd.c log.c ntp.c ntp_msg.c parse.y config.c \
server.c client.c sensors.c util.c ntp_dns.c \
control.c constraint.c
@@ -17,3 +18,23 @@ LINKS= ${BINDIR}/ntpd ${BINDIR}/ntpctl
MAN= ntpd.8 ntpd.conf.5 ntpctl.8
.include <bsd.prog.mk>
+
+# The relink kit, used on OpenBSD by /etc/rc
+
+Makefile.relink: ${.CURDIR}/../Makefile.inc ${.CURDIR}/Makefile
+ # XXX assume a concatenation of these is OK
+ cat ${.CURDIR}/../Makefile.inc ${.CURDIR}/Makefile > Makefile.relink
+
+ntpd.tar: ${OBJS} Makefile.relink
+ tar cf $@ ${OBJS} Makefile.relink
+
+afterinstall: ntpd.tar
+ install -d -o root -g wheel -m 755 \
+ ${DESTDIR}/usr/share/relink/usr/sbin/ntpd
+ install -o ${BINOWN} -g ${BINGRP} -m 640 \
+ ntpd.tar ${DESTDIR}/usr/share/relink/usr/sbin/ntpd/ntpd.tar
+
+relink:
+ cc -o ntpd `echo ${OBJS} | tr ' ' '\n' | sort -R` ${LDADD}
+ ./ntpd -n -f /etc/examples/ntpd.conf 2> /dev/zero && \
+ install -o root -g wheel -m ${BINMODE} ntpd /usr/sbin/ntpd
