← Back to context

Comment by the8472

4 years ago

No. Having inheritance a default is fine.

Not having an option to opt out when your program voluntarily tries to secure itself is terrible because it means fewer programs can use it to secure themselves. A classic example would be an ssh server. You want to factor it into several components, one that talks to the network and a privileged (root) part that spawns the child processes with arbitrary uids. The latter part can reasonably pledge away a lot of its privileges but its children must run unrestricted (but often on unprivileged users).

8 comments

the8472

Reply
jart  4 years ago

This is a good example that really helps to explain things. SECCOMP's model of monotonically decreasing permissions seems the most intuitive. However with something like an SSH server I imagine the great fear is a remote exec compromise. pledge() fixes that, since after you call pledge, you can't create new PROT_EXEC memory. Plus OpenBSD enforces a W^X invariant so we can say for certain nothing like a pre-existing executable stack gets grandfathered in. So what they're doing seems reasonable to me. It's an added feature that our Linux polyfill can't offer. But that doesn't mean our pledge() doesn't work as advertised. We simply offer a subset of behaviors. It's not a disjoint paradigm that some people here have made it out to be.

staticassertion  4 years ago

All that's required to emulate "no inheritance" is a broker.

  • jart  4 years ago

    Yes but we can't always assume a broker is installed. For instance I distribute a lot of foss software. I don't want to have to ask my users to install and adopt these other tools in order to use my code. I don't want to have to ask people to do things like run my security daemon as root. What I like about this new pledge.com program is it doesn't need root. I could just incorporate it into a build process or automated tooling for instance, and it would just work, and wouldn't inconvenience anyone. The only thing it needs is a Linux Kernel from the last 12 years.

    • staticassertion  4 years ago

      You can package the broker yourself and launch it before you pledge.

      Keep in mind that if you can:

      1. write to a file 2. Make that file executable (or write to an already-executable file, or an executable that provides scripting/ code exec natively)

      And you have the `exec` capability, the sandbox is trivial to bypass in the face of code execution in the pledge'd process.

      2 replies →

  • the8472  4 years ago

    But that's the issue. In the example I gave we already have a broker (the root process spawning ssh shells). But we want to restrict the broker too to make it more difficult to exploit. To do that we need to pledge without inheritance.