Andrew Hewus Fresh <and...@afresh1.com> wrote: > On Thu, Jul 25, 2019 at 07:16:27AM -0500, Edgar Pettijohn wrote: > > > > On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh <and...@afresh1.com> wrote: > > > > > > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote: > > > > Is there a standard OpenBSD approved method for dropping privileges in > > > > a perl server? Currently looking into Privileges::Drop, but since it > > > > isn't in base makes me curious if there is a better way. > > > > > > > > > It's relatively easy to do it yourself like I did in this Plack example. > > > > > > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59 > > > > > > use POSIX qw( setuid setgid ); > > > chroot $root || die "Couldn't chroot to $root: $!"; > > > setgid($gid) || die "Couldn't setgid $group [$gid]: $!"; > > > setuid($uid) || die "Couldn't setuid $user [$uid]: $!"; > > > > > > > That's too easy. I was expecting it to be more difficult. > > It was pointed out to me that I missed the chdir after the chroot that > is required to not have a possible leak. > > chroot $root || die "Couldn't chroot to $root: $!"; > chdir '/' || die "Couldn't chdir to '/': $!"; > > > https://perldoc.perl.org/5.30.0/functions/chroot.html > > NOTE: It is good security practice to do chdir("/") > > (chdir to the root directory) immediately after a chroot. > > Sorry about that!
The phrasing "good security practice" is quite dissapointing, when it is MANDATORY. Much like saying it is not good practice to wipe your bum. It is mandatory because otherwise a program-user can arrange for cwd to be outside the jail, and utilize that fact to pivot, and in some program path utilizations the chroot then becomes not just pointless.. it is worse than normal, because it creates a dual-namespace view of the filesystem, that is a condition that program and libraries are not prepared to operate in.
