View Single Post
  #5   (View Single Post)  
Old 29th October 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,727

For those who follow -current, tame() was renamed to pledge(2), and there have been major developments and restructuring of userland programs for 5.9, which are continuing. All who follow the misc@ mailing list will have seen some of the discussion -- if only from users caught by problems during this rapid development across most of OpenBSD's userland.

As a -current user, I read daily digests of the commit logs. This particular commit to rdate(8) caught my eye, as it is an example of the more active, robust analysis of the code base currently in progress as pledge() gets deployed system-wide.
rdate is a classic "run as root, talk to internet for a while doing
crazy packet parsing, then do something requiring privilege at the
end" program.  Simplistic pledge would be "stdio rpath wpath inet dns
settime", which is not very useful.  Imagine if it was exploited?  It
could still change your time backwards or write to your passwd file -
game over.  However the pledge "categorization" is educational, and
quickly leads to a priv-sep solution of sorts.

Create a pipe and fork.  child pledges "stdio inet dns", and talks the
time protocols, then writes error message + timeinfo to the pipe.
parent pledges "stdio rpath wpath settime" and reads error
message/timeinfo from pipe.  If error message, spit it out.  Otherwise
handle the time, then pledge "stdio rpath", and finally report how the
time was adjusted.

A bit more complicated.  Now observe that the pledges help test if
it is right...
Reply With Quote