From 69a253f8208318d8560659476e4df61481ba6758 Mon Sep 17 00:00:00 2001 From: kvothe Date: Tue, 15 Sep 2020 22:14:12 -0400 Subject: [PATCH] Tested unveiling CGI dirs and globs as executable. --- security_openbsd.go | 52 ++++++++++++++++++++++----------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/security_openbsd.go b/security_openbsd.go index a82c545..bf17af9 100644 --- a/security_openbsd.go +++ b/security_openbsd.go @@ -3,44 +3,29 @@ package main import ( "golang.org/x/sys/unix" "log" + "path/filepath" ) // Restrict access to the files specified in config in an OS-dependent way. // The OpenBSD implementation uses pledge(2) and unveil(2) to restrict the // operations available to the molly brown executable. func enableSecurityRestrictions(config Config, errorLog *log.Logger) { - // Pledge to only use stdio, inet, rpath, and unveil syscalls. - // If (S)CGI paths have been specified, also allow exec syscalls. - // Please note that execpromises haven't been specified, meaning that - // (S)CGI applications spawned by molly brown should pledge their own - // restrictions. - promises := "stdio inet rpath unveil" - if len(config.CGIPaths) > 0 || len(config.SCGIPaths) > 0 { - promises += " exec" - } - err := unix.PledgePromises(promises) - if err != nil { - errorLog.Println("Could not pledge: " + err.Error()) - log.Fatal(err) - } + // Unveil a specific list of files that we are allowed to access. - err = unix.Unveil(config.DocBase, "r") + err := unix.Unveil(config.DocBase, "r") if err != nil { errorLog.Println("Could not unveil DocBase: " + err.Error()) log.Fatal(err) } for _, cgiPath := range config.CGIPaths { - err = unix.Unveil(cgiPath, "rx") - if err != nil { - errorLog.Println("Could not unveil CGIPath: " + err.Error()) - log.Fatal(err) - } - } - for _, scgiPath := range config.SCGIPaths { - err = unix.Unveil(scgiPath, "rx") - if err != nil { - errorLog.Println("Could not unveil SCGIPaths: " + err.Error()) - log.Fatal(err) + cgiGlobbedPaths, err := filepath.Glob(cgiPath) + for _, cgiGlobbedPath := range cgiGlobbedPaths { + log.Println("Unveiling \"" + cgiGlobbedPath + "\" as executable.") + err = unix.Unveil(cgiGlobbedPath, "rx") + if err != nil { + errorLog.Println("Could not unveil CGIPaths: " + err.Error()) + log.Fatal(err) + } } } err = unix.UnveilBlock() @@ -48,4 +33,19 @@ func enableSecurityRestrictions(config Config, errorLog *log.Logger) { errorLog.Println("Could not block unveil: " + err.Error()) log.Fatal(err) } + + // Pledge to only use stdio, inet, and rpath syscalls. + // If CGI paths have been specified, also allow exec syscalls. + // Please note that execpromises haven't been specified, meaning that + // CGI applications spawned by molly brown should pledge their own + // restrictions and unveil their own files. + promises := "stdio inet rpath" + if len(config.CGIPaths) > 0 { + promises += " exec proc" + } + err = unix.PledgePromises(promises) + if err != nil { + errorLog.Println("Could not pledge: " + err.Error()) + log.Fatal(err) + } }