Tested unveiling CGI dirs and globs as executable.
This commit is contained in:
parent
03ca12d0c1
commit
69a253f820
|
|
@ -3,44 +3,29 @@ package main
|
|||
import (
|
||||
"golang.org/x/sys/unix"
|
||||
"log"
|
||||
"path/filepath"
|
||||
)
|
||||
|
||||
// Restrict access to the files specified in config in an OS-dependent way.
|
||||
// The OpenBSD implementation uses pledge(2) and unveil(2) to restrict the
|
||||
// operations available to the molly brown executable.
|
||||
func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
|
||||
// Pledge to only use stdio, inet, rpath, and unveil syscalls.
|
||||
// If (S)CGI paths have been specified, also allow exec syscalls.
|
||||
// Please note that execpromises haven't been specified, meaning that
|
||||
// (S)CGI applications spawned by molly brown should pledge their own
|
||||
// restrictions.
|
||||
promises := "stdio inet rpath unveil"
|
||||
if len(config.CGIPaths) > 0 || len(config.SCGIPaths) > 0 {
|
||||
promises += " exec"
|
||||
}
|
||||
err := unix.PledgePromises(promises)
|
||||
if err != nil {
|
||||
errorLog.Println("Could not pledge: " + err.Error())
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
// Unveil a specific list of files that we are allowed to access.
|
||||
err = unix.Unveil(config.DocBase, "r")
|
||||
err := unix.Unveil(config.DocBase, "r")
|
||||
if err != nil {
|
||||
errorLog.Println("Could not unveil DocBase: " + err.Error())
|
||||
log.Fatal(err)
|
||||
}
|
||||
for _, cgiPath := range config.CGIPaths {
|
||||
err = unix.Unveil(cgiPath, "rx")
|
||||
if err != nil {
|
||||
errorLog.Println("Could not unveil CGIPath: " + err.Error())
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
for _, scgiPath := range config.SCGIPaths {
|
||||
err = unix.Unveil(scgiPath, "rx")
|
||||
if err != nil {
|
||||
errorLog.Println("Could not unveil SCGIPaths: " + err.Error())
|
||||
log.Fatal(err)
|
||||
cgiGlobbedPaths, err := filepath.Glob(cgiPath)
|
||||
for _, cgiGlobbedPath := range cgiGlobbedPaths {
|
||||
log.Println("Unveiling \"" + cgiGlobbedPath + "\" as executable.")
|
||||
err = unix.Unveil(cgiGlobbedPath, "rx")
|
||||
if err != nil {
|
||||
errorLog.Println("Could not unveil CGIPaths: " + err.Error())
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
err = unix.UnveilBlock()
|
||||
|
|
@ -48,4 +33,19 @@ func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
|
|||
errorLog.Println("Could not block unveil: " + err.Error())
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
// Pledge to only use stdio, inet, and rpath syscalls.
|
||||
// If CGI paths have been specified, also allow exec syscalls.
|
||||
// Please note that execpromises haven't been specified, meaning that
|
||||
// CGI applications spawned by molly brown should pledge their own
|
||||
// restrictions and unveil their own files.
|
||||
promises := "stdio inet rpath"
|
||||
if len(config.CGIPaths) > 0 {
|
||||
promises += " exec proc"
|
||||
}
|
||||
err = unix.PledgePromises(promises)
|
||||
if err != nil {
|
||||
errorLog.Println("Could not pledge: " + err.Error())
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue