On Thu, Jul 25, 2019 at 07:16:27AM -0500, Edgar Pettijohn wrote:
>
> On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh <and...@afresh1.com> wrote:
> >
> > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote:
> > > Is there a standard OpenBSD approved method for dropping privileges in
> > > a perl server? Currently looking into Privileges::Drop, but since it
> > > isn't in base makes me curious if there is a better way.
> >
> >
> > It's relatively easy to do it yourself like I did in this Plack example.
> >
> > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59
> >
> > use POSIX qw( setuid setgid );
> > chroot $root || die "Couldn't chroot to $root: $!";
> > setgid($gid) || die "Couldn't setgid $group [$gid]: $!";
> > setuid($uid) || die "Couldn't setuid $user [$uid]: $!";
> >
>
> That's too easy. I was expecting it to be more difficult.
It was pointed out to me that I missed the chdir after the chroot that
is required to not have a possible leak.
chroot $root || die "Couldn't chroot to $root: $!";
chdir '/' || die "Couldn't chdir to '/': $!";
https://perldoc.perl.org/5.30.0/functions/chroot.html
> NOTE: It is good security practice to do chdir("/")
> (chdir to the root directory) immediately after a chroot.
Sorry about that!
>
> Thanks,
>
> Edgar
> > I don't know exactly what you're looking for though, so maybe
> > OpenBSD::Pledge(3p) or OpenBSD::Unveil(3p) are more what you want?
> >
> > http://man.openbsd.org/OpenBSD::Pledge
> > http://man.openbsd.org/OpenBSD::Unveil
> >
> >
> > l8rZ,
> > --
> > andrew - http://afresh1.com
> >
> > ($do || !$do) && undef($try) ; # Master of Perl, Yoda is. Hmmmm?
> >
--
andrew - http://afresh1.com
Whatever happened to the days when hacking started at the cerebral cortex
and not the keyboard?
-- Sid from UserFriendly.org
