mirror/ molly-brown
1
1
Fork 0
mirror of https://tildegit.org/solderpunk/molly-brown synced 2024-05-23 11:06:03 +02:00
Code

Tested unveiling CGI dirs and globs as executable.

This commit is contained in:
kvothe 2020-09-15 22:14:12 -04:00
parent 03ca12d0c1
commit 69a253f820
1 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
security_openbsd.go
View File

@ -3,44 +3,29 @@ package main
import ( import (
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
"log" "log"
"path/filepath"
) )
// Restrict access to the files specified in config in an OS-dependent way. // Restrict access to the files specified in config in an OS-dependent way.
// The OpenBSD implementation uses pledge(2) and unveil(2) to restrict the // The OpenBSD implementation uses pledge(2) and unveil(2) to restrict the
// operations available to the molly brown executable. // operations available to the molly brown executable.
func enableSecurityRestrictions(config Config, errorLog *log.Logger) { func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
// Pledge to only use stdio, inet, rpath, and unveil syscalls.
// If (S)CGI paths have been specified, also allow exec syscalls.
// Please note that execpromises haven't been specified, meaning that
// (S)CGI applications spawned by molly brown should pledge their own
// restrictions.
promises := "stdio inet rpath unveil"
if len(config.CGIPaths) > 0 || len(config.SCGIPaths) > 0 {
promises += " exec"
}
err := unix.PledgePromises(promises)
if err != nil {
errorLog.Println("Could not pledge: " + err.Error())
log.Fatal(err)
}
// Unveil a specific list of files that we are allowed to access. // Unveil a specific list of files that we are allowed to access.
err = unix.Unveil(config.DocBase, "r") err := unix.Unveil(config.DocBase, "r")
if err != nil { if err != nil {
errorLog.Println("Could not unveil DocBase: " + err.Error()) errorLog.Println("Could not unveil DocBase: " + err.Error())
log.Fatal(err) log.Fatal(err)
} }
for _, cgiPath := range config.CGIPaths { for _, cgiPath := range config.CGIPaths {
err = unix.Unveil(cgiPath, "rx") cgiGlobbedPaths, err := filepath.Glob(cgiPath)
if err != nil { for _, cgiGlobbedPath := range cgiGlobbedPaths {
errorLog.Println("Could not unveil CGIPath: " + err.Error()) log.Println("Unveiling \"" + cgiGlobbedPath + "\" as executable.")
log.Fatal(err) err = unix.Unveil(cgiGlobbedPath, "rx")
} if err != nil {
} errorLog.Println("Could not unveil CGIPaths: " + err.Error())
for _, scgiPath := range config.SCGIPaths { log.Fatal(err)
err = unix.Unveil(scgiPath, "rx") }
if err != nil {
errorLog.Println("Could not unveil SCGIPaths: " + err.Error())
log.Fatal(err)
} }
} }
err = unix.UnveilBlock() err = unix.UnveilBlock()
@ -48,4 +33,19 @@ func enableSecurityRestrictions(config Config, errorLog *log.Logger) {
errorLog.Println("Could not block unveil: " + err.Error()) errorLog.Println("Could not block unveil: " + err.Error())
log.Fatal(err) log.Fatal(err)
} }
// Pledge to only use stdio, inet, and rpath syscalls.
// If CGI paths have been specified, also allow exec syscalls.
// Please note that execpromises haven't been specified, meaning that
// CGI applications spawned by molly brown should pledge their own
// restrictions and unveil their own files.
promises := "stdio inet rpath"
if len(config.CGIPaths) > 0 {
promises += " exec proc"
}
err = unix.PledgePromises(promises)
if err != nil {
errorLog.Println("Could not pledge: " + err.Error())
log.Fatal(err)
}
} }