solderpunk
/
molly-brown
7
29
Fork 10
Code Issues 9 Pull Requests Releases Wiki Activity

Added pledge(2) and unveil(2) system calls to improve security on OpenBSD. #13

Merged
solderpunk merged 5 commits from kvothe/molly-brown:master into master 2023-02-08 17:54:30 +00:00
Conversation 0 Commits 5 Files Changed 4 +89
kvothe commented 2020-09-17 03:43:56 +00:00
Contributor
Copy Link

Hi solderpunk!

I added some security features to the OpenBSD implementation of molly-brown. There's a new generic security.go file that provides the enableSecurityRestrictions() function, which is a no-op for other operating systems. When compiled on OpenBSD, security_openbsd.go is instead compiled, which restricts system calls with the pledge(2) system call and restricts filesystem access with the unveil(2) system call.

I've tested these cases:

  • plain gemini server, no CGI configured. Any attempt to start a process and the molly brown server is aborted by the OS.
  • CGI gemini server. CGI path globs are unveiled as executable and molly brown is able to start those processes. Processes that haven't been whitelisted aren't executable by molly brown.
  • SCGI gemini server. The unix sockets specified in the config file are unveiled as read/write and molly brown is able to communicate with those processes.

(S)CGI processes that molly brown speaks with aren't restricted in the same manner and should restrict themselves prior to handling user input, but that's out of the scope of these changes.

Hope you dig!

Hi solderpunk! I added some security features to the OpenBSD implementation of molly-brown. There's a new generic security.go file that provides the enableSecurityRestrictions() function, which is a no-op for other operating systems. When compiled on OpenBSD, security_openbsd.go is instead compiled, which restricts system calls with the [pledge(2)](https://man.openbsd.org/pledge.2) system call and restricts filesystem access with the [unveil(2)](https://man.openbsd.org/unveil.2) system call. I've tested these cases: * plain gemini server, no CGI configured. Any attempt to start a process and the molly brown server is aborted by the OS. * CGI gemini server. CGI path globs are unveiled as executable and molly brown is able to start those processes. Processes that haven't been whitelisted aren't executable by molly brown. * SCGI gemini server. The unix sockets specified in the config file are unveiled as read/write and molly brown is able to communicate with those processes. (S)CGI processes that molly brown speaks with aren't restricted in the same manner and should restrict themselves prior to handling user input, but that's out of the scope of these changes. Hope you dig!
solderpunk merged commit b16a8584a6 into master 2023-02-08 17:54:30 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: solderpunk/molly-brown#13
No description provided.
Delete Branch "kvothe/molly-brown:master"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?