perl privilege drop

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

perl privilege drop

Edgar Pettijohn III-2
Is there a standard OpenBSD approved method for dropping privileges in a perl server? Currently looking into Privileges::Drop, but since it isn't in base makes me curious if there is a better way.

Thanks,

Edgar

Reply | Threaded
Open this post in threaded view
|

Re: perl privilege drop

Andrew Hewus Fresh
On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote:
> Is there a standard OpenBSD approved method for dropping privileges in
> a perl server? Currently looking into Privileges::Drop, but since it
> isn't in base makes me curious if there is a better way.


It's relatively easy to do it yourself like I did in this Plack example.

https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59

    use POSIX qw( setuid setgid );
    chroot $root || die "Couldn't chroot to $root: $!";
    setgid($gid) || die "Couldn't setgid $group [$gid]: $!";
    setuid($uid) || die "Couldn't setuid $user [$uid]: $!";

I don't know exactly what you're looking for though, so maybe
OpenBSD::Pledge(3p) or OpenBSD::Unveil(3p) are more what you want?

http://man.openbsd.org/OpenBSD::Pledge
http://man.openbsd.org/OpenBSD::Unveil


l8rZ,
--
andrew - http://afresh1.com

($do || !$do) && undef($try) ;  # Master of Perl, Yoda is.  Hmmmm?

Reply | Threaded
Open this post in threaded view
|

Re: perl privilege drop

Edgar Pettijohn III-2
In reply to this post by Edgar Pettijohn III-2

On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh <[hidden email]> wrote:

>
> On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote:
> > Is there a standard OpenBSD approved method for dropping privileges in
> > a perl server? Currently looking into Privileges::Drop, but since it
> > isn't in base makes me curious if there is a better way.
>
>
> It's relatively easy to do it yourself like I did in this Plack example.
>
> https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59
>
>     use POSIX qw( setuid setgid );
>     chroot $root || die "Couldn't chroot to $root: $!";
>     setgid($gid) || die "Couldn't setgid $group [$gid]: $!";
>     setuid($uid) || die "Couldn't setuid $user [$uid]: $!";
>

That's too easy. I was expecting it to be more difficult.

Thanks,

Edgar

> I don't know exactly what you're looking for though, so maybe
> OpenBSD::Pledge(3p) or OpenBSD::Unveil(3p) are more what you want?
>
> http://man.openbsd.org/OpenBSD::Pledge
> http://man.openbsd.org/OpenBSD::Unveil
>
>
> l8rZ,
> --
> andrew - http://afresh1.com
>
> ($do || !$do) && undef($try) ;  # Master of Perl, Yoda is.  Hmmmm?
>

Reply | Threaded
Open this post in threaded view
|

Re: perl privilege drop

Andrew Hewus Fresh
In reply to this post by Edgar Pettijohn III-2
On Thu, Jul 25, 2019 at 07:16:27AM -0500, Edgar Pettijohn wrote:

>
> On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh <[hidden email]> wrote:
> >
> > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote:
> > > Is there a standard OpenBSD approved method for dropping privileges in
> > > a perl server? Currently looking into Privileges::Drop, but since it
> > > isn't in base makes me curious if there is a better way.
> >
> >
> > It's relatively easy to do it yourself like I did in this Plack example.
> >
> > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59
> >
> >     use POSIX qw( setuid setgid );
> >     chroot $root || die "Couldn't chroot to $root: $!";
> >     setgid($gid) || die "Couldn't setgid $group [$gid]: $!";
> >     setuid($uid) || die "Couldn't setuid $user [$uid]: $!";
> >
>
> That's too easy. I was expecting it to be more difficult.

It was pointed out to me that I missed the chdir after the chroot that
is required to not have a possible leak.

    chroot $root || die "Couldn't chroot to $root: $!";
    chdir '/'    || die "Couldn't chdir to '/': $!";


https://perldoc.perl.org/5.30.0/functions/chroot.html
> NOTE: It is good security practice to do chdir("/")
> (chdir to the root directory) immediately after a chroot.

Sorry about that!



>
> Thanks,
>
> Edgar
> > I don't know exactly what you're looking for though, so maybe
> > OpenBSD::Pledge(3p) or OpenBSD::Unveil(3p) are more what you want?
> >
> > http://man.openbsd.org/OpenBSD::Pledge
> > http://man.openbsd.org/OpenBSD::Unveil
> >
> >
> > l8rZ,
> > --
> > andrew - http://afresh1.com
> >
> > ($do || !$do) && undef($try) ;  # Master of Perl, Yoda is.  Hmmmm?
> >

--
andrew - http://afresh1.com

Whatever happened to the days when hacking started at the cerebral cortex
and not the keyboard?
                      -- Sid from UserFriendly.org

Reply | Threaded
Open this post in threaded view
|

Re: perl privilege drop

Theo de Raadt-2
Andrew Hewus Fresh <[hidden email]> wrote:

> On Thu, Jul 25, 2019 at 07:16:27AM -0500, Edgar Pettijohn wrote:
> >
> > On Jul 24, 2019 9:06 PM, Andrew Hewus Fresh <[hidden email]> wrote:
> > >
> > > On Sat, Jul 20, 2019 at 07:20:23PM -0500, Edgar Pettijohn wrote:
> > > > Is there a standard OpenBSD approved method for dropping privileges in
> > > > a perl server? Currently looking into Privileges::Drop, but since it
> > > > isn't in base makes me curious if there is a better way.
> > >
> > >
> > > It's relatively easy to do it yourself like I did in this Plack example.
> > >
> > > https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59
> > >
> > >     use POSIX qw( setuid setgid );
> > >     chroot $root || die "Couldn't chroot to $root: $!";
> > >     setgid($gid) || die "Couldn't setgid $group [$gid]: $!";
> > >     setuid($uid) || die "Couldn't setuid $user [$uid]: $!";
> > >
> >
> > That's too easy. I was expecting it to be more difficult.
>
> It was pointed out to me that I missed the chdir after the chroot that
> is required to not have a possible leak.
>
>     chroot $root || die "Couldn't chroot to $root: $!";
>     chdir '/'    || die "Couldn't chdir to '/': $!";
>
>
> https://perldoc.perl.org/5.30.0/functions/chroot.html
> > NOTE: It is good security practice to do chdir("/")
> > (chdir to the root directory) immediately after a chroot.
>
> Sorry about that!

The phrasing "good security practice" is quite dissapointing, when it
is MANDATORY.  Much like saying it is not good practice to wipe your bum.

It is mandatory because otherwise a program-user can arrange for cwd
to be outside the jail, and utilize that fact to pivot, and in some
program path utilizations the chroot then becomes not just pointless..
it is worse than normal, because it creates a dual-namespace view of
the filesystem, that is a condition that program and libraries are not
prepared to operate in.

Reply | Threaded
Open this post in threaded view
|

Re: perl privilege drop

Andrew Hewus Fresh
On Thu, Jul 25, 2019 at 09:35:44AM -0600, Theo de Raadt wrote:
> Andrew Hewus Fresh <[hidden email]> wrote:
> > https://perldoc.perl.org/5.30.0/functions/chroot.html
> > > NOTE: It is good security practice to do chdir("/")
> > > (chdir to the root directory) immediately after a chroot.
> >
>
> The phrasing "good security practice" is quite dissapointing, when it
> is MANDATORY.  Much like saying it is not good practice to wipe your bum.


I filed a ticket with some possibly improved wording, lightly based on
what's below.

https://rt.perl.org/Public/Bug/Display.html?id=134314


> It is mandatory because otherwise a program-user can arrange for cwd
> to be outside the jail, and utilize that fact to pivot, and in some
> program path utilizations the chroot then becomes not just pointless..
> it is worse than normal, because it creates a dual-namespace view of
> the filesystem, that is a condition that program and libraries are not
> prepared to operate in.

l8rZ,
--
andrew - http://afresh1.com

What are the unsurpassable real world weaknesses in OpenBSD,
    that you know of?    
                      -- Kevin Chadwick <[hidden email]>
Lots of fake people attacking the project on the mailing lists makes
    them a poor resource for users.
                      -- Theo de Raadt <[hidden email]>