

> CVSROOT: /cvs

> Module name: src

> Changes by:

>

> Modified files:

> bin/ksh : Makefile c_sh.c main.c

> distrib/special/ksh: Makefile

>

> Log message:

> ksh can run with pledge "stdio rpath wpath cpath getpw fattr proc exec tty"

> if the mknod builtin is disabled. It looks like a lot of abilities, but

> hey, this is a shell. can't open sockets or do other nasty stuff though.

> (we'll leave the mknod builtin enabled on the install media for now; there

> is work happening to regain the MAKEDEV performance in a different way)

> discussions with otto & millert in particular

> > CVSROOT: /cvs> Module name: src> Changes by: [hidden email] 2015/10/09 18:10:08> Modified files:> bin/ksh : Makefile c_sh.c main.c> distrib/special/ksh: Makefile> Log message:> ksh can run with pledge "stdio rpath wpath cpath getpw fattr proc exec tty"> if the mknod builtin is disabled. It looks like a lot of abilities, but> hey, this is a shell. can't open sockets or do other nasty stuff though.> (we'll leave the mknod builtin enabled on the install media for now; there> is work happening to regain the MAKEDEV performance in a different way)> discussions with otto & millert in particular



First of all thank you Theo and all the other OpenBSD developers for

bringing tame^Wpledge into our lives. I think it's a great system for

adding security to applications.



I am however curious to this patch. By pledging ksh with exec it appears

to me that once a pledged process is execve(2)d it looses it's already

made pledges. (how else could applications spawned from the shell and

still get their network interaction going?) This to me seems like

something that might be undesirable (find remote code execution->insert

exec of application->do some evil network activity)

Is above observation correct or am I missing something?



Another option that would seem interesting to me is to be able to pledge

new applications before they get executed. This would for instance allow

to revoke proc/exec in doas(1) before it execs the final application

itself. This would allow for something similar to the NOEXEC function

from sudo. Since my vias[1] patch was dismissed and some don't seem to

mind to run their editor (with shell capabilities) as another user it

would seem only fitting to me that doas(1) would be able to revoke

executing privileges from the editor before it is fired up, so not to be

able to do whatever we please as the user running the editor.

Is something like this in the pipeline?



Let the record show that this mail is written out of ignorance and

merely intended to get myself educated on the subject and to poke the

bear to see it's (future) capabilities. Not to criticise, or to get

mauled by said bear.



Sincerely,



Martijn van Duren



[1] a new version against the latest doas is up at

for the potential few actually using it.



On 10/10/15 02:10, Theo de Raadt wrote:Hello tech@,First of all thank you Theo and all the other OpenBSD developers forbringing tame^Wpledge into our lives. I think it's a great system foradding security to applications.I am however curious to this patch. By pledging ksh with exec it appearsto me that once a pledged process is execve(2)d it looses it's alreadymade pledges. (how else could applications spawned from the shell andstill get their network interaction going?) This to me seems likesomething that might be undesirable (find remote code execution->insertexec of application->do some evil network activity)Is above observation correct or am I missing something?Another option that would seem interesting to me is to be able to pledgenew applications before they get executed. This would for instance allowto revoke proc/exec in doas(1) before it execs the final applicationitself. This would allow for something similar to the NOEXEC functionfrom sudo. Since my vias[1] patch was dismissed and some don't seem tomind to run their editor (with shell capabilities) as another user itwould seem only fitting to me that doas(1) would be able to revokeexecuting privileges from the editor before it is fired up, so not to beable to do whatever we please as the user running the editor.Is something like this in the pipeline?Let the record show that this mail is written out of ignorance andmerely intended to get myself educated on the subject and to poke thebear to see it's (future) capabilities. Not to criticise, or to getmauled by said bear.Sincerely,Martijn van Duren[1] a new version against the latest doas is up at http://imperialat.at/vias.diff for the potential few actually using it.