Make use of doas mandatory to avoid running iblock as root.

2021-03-20 11:42:00 +01:00 · 2021-03-20 11:42:00 +01:00 · 461451d717
parent ddcacd328f
commit 461451d717
2 changed files with 18 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -7,13 +7,27 @@ It is meant to be used to block scanner connecting on unused ports.

 # How to use

+## Add a dedicated user
+
+```
+useradd -s /sbin/nologin _iblock
+```
+
+## Configure doas
+
+Add in `/etc/doas.conf`:
+
+```
+permit nopass _iblock cmd /sbin/pfctl
+```
+
 ## Configure inetd

 Start inetd service with this in `/etc/inetd.conf`:

 ```
-666 stream tcp nowait root /usr/local/bin/iblock iblock
-666 stream tcp6 nowait root /usr/local/bin/iblock iblock
+666 stream tcp nowait _iblock /usr/local/bin/iblock iblock
+666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock
 ```

 You can change the PF table by adding it as a parameter like this:
@ -51,4 +65,3 @@ In the example I added a label to the block rule, you can use `pfctl -s labels`

 - make install doing something
 - A proper man page
- make it work with doas
--- a/main.c
+++ b/main.c
@ -19,7 +19,7 @@ int main(int argc, char *argv[]){
 	char table[TABLE_LEN] = DEFAULT_TABLE;
 	int status;

-	if (unveil("/sbin/pfctl", "rx") != 0)
+	if (unveil("/usr/bin/doas", "rx") != 0)
 		err(1, "unveil");
 	if (pledge("exec inet stdio", NULL) != 0)
 		err(1, "pledge");
@ -48,7 +48,7 @@ int main(int argc, char *argv[]){
 	switch(sock.ss_family) {
 	case AF_INET: /* FALLTHROUGHT */
 	case AF_INET6:
-		execlp("/sbin/pfctl", "pfctl", "-t", table, "-T", "add", ip, NULL);
+		execlp("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
 		break;
 	default:
 		exit(2);