On Fri, Jan 31, 2020 at 10:47:17AM +0100, Patrick Kristiansen wrote: > On Fri, Jan 31, 2020, at 09:29, Janne Johansson wrote: > > Den tors 30 jan. 2020 kl 21:08 skrev Patrick Kristiansen > > <patr...@tamstrup.dk>: > > > > Properly starting up a daemon process requires several steps, > > > > often involving unveil(2), pledge(2), chroot(2), prviledge > > > > dropping, sometimes fork+exec for privilege separation, and so on > > > > > > The process I need to run is written in Clojure and thus runs on the > > > Java Virtual Machine. Do you have any suggestions on how to best go > > > about making it "daemon-like"? I am not sure that I can call unveil(2), > > > pledge(2) and chroot(2) from Clojure without some strange sorcery. > > > > So not related to only Clojure but rather on runtimes that are large > > and unwieldy, this seems to be exactly why plegde() and unveil() came > > into being in the first place, after seeing things that needs to do > > certain privileged operations at some early point, but because of > > design/runtime/hard-to-pledge or whatever has to run with the sum of > > all privileges, all capabilities at all times and at the same time > > being exposed to potential hostile data. > > Yes. I completely understand the motivation behind pledge, unveil and > similar constructs. I also understand that it sort of runs counter to > using one of the world's most secure-by-default operating systems if you > then run an insecure monstrosity on top of it. I was just starting to > like the OpenBSD experience as a user and sysadmin. :-) > > But I also think that it is unrealistic to expect applications to be > written to the same standard as OpenBSD, given the resources needed for > that. Many startups would never get off the ground if that were the > case. > > > I can fully see why Ingo would say "I would not run things like that > > exposed", partly because I figure he actually has a choice to not do > > it, but regardless of what electric fences you like (Selinux, > > capsicum, pledge/unveil, chroots) if you create a huge monolith > > running in an environment which actively prevents you from activating > > any kinds of protections, then I can see how you would see some > > friction. > > I would like to get more information about doing application programming > for an OS like OpenBSD. I understand that if you program your > applications in C, you have readily available pledge/unveil, etc. But > many applications are written in higher-level languages, and in my case > at least, it seems to be nearly impossible to write a secure application > without changing to C or some other language that can easily use > OpenBSD's system calls. And for a mediocre programmer, or just an > inexperienced one, it exposes you to a whole host of other problems that > can lead to worse security and quality. > > The solution is probably just to be a good programmer. ;-) >
For the record, I am also interested in information on how pledge(2) and unveil(2) would interact with a "higher level language". I would also be happy to learn more about how they interact with assembly. My conceptual understanding can probably still be improved upon. In the spirit of not demanding to much time from my contemporaries I am especially greatful for pointers to conceptual documentation and to implementation documentation. I have the impression that it seems effective to get a conceptual overview first. [[ I have the suspicion that being a good programmer crucially depends on having conceptual understanding. Maybe it also depends on practice.]] Concretely: Just to start off easy, how can I find conceptual documentation on what an operating system "process" is in OpenBSD and how deeply a libc is tied into that by design? As far as I am aware a process has the "current working directory" associated with it, in order to be able to resolve relative paths and is also where "environment variables" are stored. These remind me of dynamic bindings, at least in spirit. I am only aware of plain C having lexical bindings, in contrast to this. (I am also still fuzzy on how intertwined an operating system and a CPU are. From my superficial understanding, e.g. the operating system has to be aware of the MMU. I am concretely speaking of amd64 territory here.) https://man.openbsd.org/process : did not turn up anything https://man.openbsd.org/pledge : where is further information on what a process is? https://man.openbsd.org/unveil : where is further information on what a process is? Best Regards, Andrew
