Documentation on OpenBSD's 3-process privsep model?

I'd appreciate some pointers to documentation or minimal examples of
the 3-process privilege separation model for OpenBSD's daemons.
Internet searches pointed to skeleton examples at
github.com/krwesterback/newd and github.com/krwesterback/newdctl, but
those repos are now dead and it's unclear how authoritative they were
in the first place.

misopolemiac <[hidden email]> wrote:

> I'd appreciate some pointers to documentation or minimal examples of
> the 3-process privilege separation model for OpenBSD's daemons.
> Internet searches pointed to skeleton examples at
> github.com/krwesterback/newd and github.com/krwesterback/newdctl, but
> those repos are now dead and it's unclear how authoritative they were
> in the first place.

This is not difficult: Use the repository.

Go find a privsep daemon.  Go look at the earliest revisions, when the
problems were simple.  Follow the commits forward.

And learn.

On 23/03/2021 05:53, misopolemiac wrote:
> I'd appreciate some pointers to documentation or minimal examples of
> the 3-process privilege separation model for OpenBSD's daemons.
> Internet searches pointed to skeleton examples at
> github.com/krwesterback/newd and github.com/krwesterback/newdctl, but
> those repos are now dead and it's unclear how authoritative they were
> in the first place.
>
>

Blind leading the blind here, but I think a good starting point would be
recent presentations by Marc Espie, who, I believe but I might be wrong,
is the developer who worked the most on privsep.

http://www.openbsd.org/events.html

--
Ottavio Caruso

On Tue, Mar 23, 2021 at 09:41:06AM +0000, Ottavio Caruso wrote:
Definitely not at all.

I haven't worked the most on privsep, by far.

and the examples I've worked on are highly specific and probably
not applicable to most of the base code.

On 31/03/2021 04:46, Marc Espie wrote:
I was wrong then. My apologies. Still, it's worth giving a look at the
events page. I have learnt a lot about OpenBSD going through all
presentations and papers, despite understanding only 0.1% of the
technical details.

--
Ottavio Caruso

On Mar 31, 2021 3:02 AM, Ottavio Caruso
<[hidden email]> wrote:

  On 31/03/2021 04:46, Marc Espie wrote:
  > On Tue, Mar 23, 2021 at 09:41:06AM +0000, Ottavio Caruso wrote:
  >> On 23/03/2021 05:53, misopolemiac wrote:
  >>> I'd appreciate some pointers to documentation or minimal examples
  of
  >>> the 3-process privilege separation model for OpenBSD's daemons.
  >>> Internet searches pointed to skeleton examples at
  >>> github.com/krwesterback/newd and github.com/krwesterback/newdctl,
  but
  >>> those repos are now dead and it's unclear how authoritative they
  were
  >>> in the first place.
  >>>
  >>>
  >>
  >> Blind leading the blind here, but I think a good starting point
  would be
  >> recent presentations by Marc Espie, who, I believe but I might be
  wrong, is
  >> the developer who worked the most on privsep.
  >>
  >> http://www.openbsd.org/events.html
  >
  > Definitely not at all.
  >
  > I haven't worked the most on privsep, by far.
  >
  > and the examples I've worked on are highly specific and probably
  > not applicable to most of the base code.
  >
  >

  I was wrong then. My apologies. Still, it's worth giving a look at
  the
  events page. I have learnt a lot about OpenBSD going through all
  presentations and papers, despite understanding only 0.1% of the
  technical details.

  --
  Ottavio Caruso



I often use the source for identd as a template. It's a fairly simple
daemon. So it's easy to gut it and rework it to fit your needs.
Edgar