www/lynx v. 'exec' and 'proc' promises

Thu, 02 Jun 2016 06:20:20 -0700 

Hi!

The following diff changes two related aspects of www/lynx port:

 1.  Currently lynx dies to SIGABRT from pledge when user follows URL
     for image files.  I guess the same happens when user configures
     mailcap or handlers for mime types.  Properly removing this
     functionality from lynx would require a lot of time both right now
     and during upgrades.  The patch below changes LYSystem() to return
     early pretending that system(3) failed.

     This is not a proper solution to the problem, but at least it stops
     lynx from dying.

 2.  This patch also adds an "exec" flavor that calls pledge with "exec"
     and "proc" promises, so that external editor and image viewer can
     actually be used.  This is also a temporary solution before the
     real issue is addressed upstream.  I am not sure there is still a
     good reason for pledge in this flavor though.

Comments?  OKs?

-- 
Dmitrij D. Czarkoff

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/lynx/Makefile,v
retrieving revision 1.27
diff -u -p -r1.27 Makefile
--- Makefile    17 May 2016 00:08:44 -0000      1.27
+++ Makefile    2 Jun 2016 10:19:43 -0000
@@ -7,6 +7,7 @@ DISTNAME =      lynx${V}dev.${PL}
 PKGNAME =      lynx-${V}pl${PL}
 EXTRACT_SUFX = .tar.bz2
 CATEGORIES =   www net
+REVISION =     0
 
 HOMEPAGE =     http://lynx.invisible-island.net/
 
@@ -22,6 +23,16 @@ MASTER_SITES =       http://invisible-mirror.n
                ftp://invisible-island.net/lynx/tarballs/
 
 LIB_DEPENDS =  archivers/bzip2
+
+FLAVORS =      exec
+FLAVOR ?=
+
+PATCH_LIST =   patch-*
+.if ${FLAVOR:Mexec}
+PATCH_LIST +=  exec-*
+.else
+PATCH_LIST +=  noexec-*
+.endif
 
 CONFIGURE_STYLE =      gnu
 CONFIGURE_ARGS =       --datarootdir="${PREFIX}/share/doc/lynx" \
Index: patches/exec-src_LYMain_c
===================================================================
RCS file: patches/exec-src_LYMain_c
diff -N patches/exec-src_LYMain_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/exec-src_LYMain_c   2 Jun 2016 10:47:49 -0000
@@ -0,0 +1,21 @@
+$OpenBSD: patch-src_LYMain_c,v 1.2 2016/04/15 03:21:51 tb Exp $
+--- src/LYMain.c.orig  Fri Dec 18 01:34:45 2015
++++ src/LYMain.c       Mon Apr 11 01:55:21 2016
+@@ -2142,6 +2142,17 @@ int main(int argc,
+     }
+ 
+     /*
++     * Disabling rlogin and telnet and calling pledge
++     */
++    rlogin_ok = FALSE;
++    telnet_ok = FALSE;
++
++    if (pledge("stdio rpath wpath cpath fattr dns inet tty proc exec", NULL) 
== -1) {
++      fprintf(stderr, "%s: pledge: %s\n", getprogname(), strerror(errno));
++      exit_immediately(EXIT_FAILURE);
++    }
++
++    /*
+      * Here's where we do all the work.
+      */
+     if (dump_output_immediately) {
Index: patches/noexec-src_LYMain_c
===================================================================
RCS file: patches/noexec-src_LYMain_c
diff -N patches/noexec-src_LYMain_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/noexec-src_LYMain_c 15 Apr 2016 03:21:51 -0000
@@ -0,0 +1,26 @@
+$OpenBSD: patch-src_LYMain_c,v 1.2 2016/04/15 03:21:51 tb Exp $
+--- src/LYMain.c.orig  Fri Dec 18 01:34:45 2015
++++ src/LYMain.c       Mon Apr 11 01:55:21 2016
+@@ -2142,6 +2142,22 @@ int main(int argc,
+     }
+ 
+     /*
++     * Disabling features requiring 'proc' + 'exec' and calling pledge
++     */
++    no_editor = TRUE;
++    no_exec = TRUE;
++    no_mail = TRUE;
++    no_shell = TRUE;
++
++    rlogin_ok = FALSE;
++    telnet_ok = FALSE;
++
++    if (pledge("stdio rpath wpath cpath fattr dns inet tty", NULL) == -1) {
++      fprintf(stderr, "%s: pledge: %s\n", getprogname(), strerror(errno));
++      exit_immediately(EXIT_FAILURE);
++    }
++
++    /*
+      * Here's where we do all the work.
+      */
+     if (dump_output_immediately) {
Index: patches/noexec-src_LYUtils_c
===================================================================
RCS file: patches/noexec-src_LYUtils_c
diff -N patches/noexec-src_LYUtils_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/noexec-src_LYUtils_c        2 Jun 2016 10:40:31 -0000
@@ -0,0 +1,18 @@
+$OpenBSD: patch-src_LYUtils_c,v 1.1 2016/03/12 14:29:13 tb Exp $
+
+The only purpose of LYSystem() function is to execute "command".  Our 
pledge(2) 
+will not allow system(3) anyway, so just return early saying that system(3)
+failed.
+
+--- src/LYUtils.c.orig Sun Mar 22 16:38:23 2015
++++ src/LYUtils.c      Thu Jun  2 12:38:29 2016
+@@ -7185,6 +7185,9 @@ static char *escape_backslashes(char *source)
+  */
+ int LYSystem(char *command)
+ {
++    errno = EPERM;
++    return -1;
++
+     int code;
+     int do_free = 0;
+ 
Index: patches/noexec-userdefs_h
===================================================================
RCS file: patches/noexec-userdefs_h
diff -N patches/noexec-userdefs_h
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/noexec-userdefs_h   15 Apr 2016 03:21:52 -0000
@@ -0,0 +1,25 @@
+$OpenBSD: patch-userdefs_h,v 1.1 2016/04/15 03:21:52 tb Exp $
+--- userdefs.h.orig    Tue Dec 22 02:45:35 2015
++++ userdefs.h Thu Apr 14 00:11:57 2016
+@@ -129,8 +129,8 @@
+  * Mappings in these global and personal files override any VIEWER
+  * definitions in lynx.cfg and built-in defaults from src/HTInit.c.
+  */
+-#define GLOBAL_MAILCAP "Lynx_Dir:mailcap"
+-#define PERSONAL_MAILCAP ".mailcap"
++#define GLOBAL_MAILCAP "/dev/null"
++#define PERSONAL_MAILCAP "/dev/null"
+ 
+ /**************************
+  * XLOADIMAGE_COMMAND will be used as a default in src/HTInit.c
+@@ -327,8 +327,8 @@
+  * Mappings in these global and personal files override any VIEWER
+  * definitions in lynx.cfg and built-in defaults from src/HTInit.c.
+  */
+-#define GLOBAL_MAILCAP MIME_LIBDIR "mailcap"
+-#define PERSONAL_MAILCAP "~/.mailcap"
++#define GLOBAL_MAILCAP "/dev/null"
++#define PERSONAL_MAILCAP "/dev/null"
+ 
+ /**************************
+  * XLOADIMAGE_COMMAND will be used as a default in src/HTInit.c for
Index: patches/patch-src_LYMain_c
===================================================================
RCS file: patches/patch-src_LYMain_c
diff -N patches/patch-src_LYMain_c
--- patches/patch-src_LYMain_c  15 Apr 2016 03:21:51 -0000      1.2
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,26 +0,0 @@
-$OpenBSD: patch-src_LYMain_c,v 1.2 2016/04/15 03:21:51 tb Exp $
---- src/LYMain.c.orig  Fri Dec 18 01:34:45 2015
-+++ src/LYMain.c       Mon Apr 11 01:55:21 2016
-@@ -2142,6 +2142,22 @@ int main(int argc,
-     }
- 
-     /*
-+     * Disabling features requiring 'proc' + 'exec' and calling pledge
-+     */
-+    no_editor = TRUE;
-+    no_exec = TRUE;
-+    no_mail = TRUE;
-+    no_shell = TRUE;
-+
-+    rlogin_ok = FALSE;
-+    telnet_ok = FALSE;
-+
-+    if (pledge("stdio rpath wpath cpath fattr dns inet tty", NULL) == -1) {
-+      fprintf(stderr, "%s: pledge: %s\n", getprogname(), strerror(errno));
-+      exit_immediately(EXIT_FAILURE);
-+    }
-+
-+    /*
-      * Here's where we do all the work.
-      */
-     if (dump_output_immediately) {
Index: patches/patch-userdefs_h
===================================================================
RCS file: patches/patch-userdefs_h
diff -N patches/patch-userdefs_h
--- patches/patch-userdefs_h    15 Apr 2016 03:21:52 -0000      1.1
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,25 +0,0 @@
-$OpenBSD: patch-userdefs_h,v 1.1 2016/04/15 03:21:52 tb Exp $
---- userdefs.h.orig    Tue Dec 22 02:45:35 2015
-+++ userdefs.h Thu Apr 14 00:11:57 2016
-@@ -129,8 +129,8 @@
-  * Mappings in these global and personal files override any VIEWER
-  * definitions in lynx.cfg and built-in defaults from src/HTInit.c.
-  */
--#define GLOBAL_MAILCAP "Lynx_Dir:mailcap"
--#define PERSONAL_MAILCAP ".mailcap"
-+#define GLOBAL_MAILCAP "/dev/null"
-+#define PERSONAL_MAILCAP "/dev/null"
- 
- /**************************
-  * XLOADIMAGE_COMMAND will be used as a default in src/HTInit.c
-@@ -327,8 +327,8 @@
-  * Mappings in these global and personal files override any VIEWER
-  * definitions in lynx.cfg and built-in defaults from src/HTInit.c.
-  */
--#define GLOBAL_MAILCAP MIME_LIBDIR "mailcap"
--#define PERSONAL_MAILCAP "~/.mailcap"
-+#define GLOBAL_MAILCAP "/dev/null"
-+#define PERSONAL_MAILCAP "/dev/null"
- 
- /**************************
-  * XLOADIMAGE_COMMAND will be used as a default in src/HTInit.c for
Index: pkg/DESCR
===================================================================
RCS file: /cvs/ports/www/lynx/pkg/DESCR,v
retrieving revision 1.4
diff -u -p -r1.4 DESCR
--- pkg/DESCR   17 Jul 2014 12:15:21 -0000      1.4
+++ pkg/DESCR   2 Jun 2016 13:02:55 -0000
@@ -12,3 +12,7 @@ information systems intended primarily f
 Lynx has been used to build several Campus Wide Information Systems
 (CWIS). In addition, Lynx can be used to build systems isolated within a
 single LAN.
+
+The "exec" flavor of lynx is capable of calling external programs using
+dangerous system(3) function.  Basically it concedes security to
+convenience of calling external editor, image view, file handlers, etc.

Reply via email to