summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/acme-client/Makefile4
-rw-r--r--usr.sbin/acme-client/acctproc.c13
-rw-r--r--usr.sbin/acme-client/certproc.c13
-rw-r--r--usr.sbin/acme-client/chngproc.c16
-rw-r--r--usr.sbin/acme-client/dnsproc.c21
-rw-r--r--usr.sbin/acme-client/extern.h9
-rw-r--r--usr.sbin/acme-client/fileproc.c19
-rw-r--r--usr.sbin/acme-client/keyproc.c13
-rw-r--r--usr.sbin/acme-client/main.c14
-rw-r--r--usr.sbin/acme-client/netproc.c14
-rw-r--r--usr.sbin/acme-client/revokeproc.c13
-rw-r--r--usr.sbin/acme-client/sandbox-pledge.c83
-rw-r--r--usr.sbin/acme-client/util-pledge.c65
13 files changed, 57 insertions, 240 deletions
diff --git a/usr.sbin/acme-client/Makefile b/usr.sbin/acme-client/Makefile
index 6d373e561cb..5df53d61b55 100644
--- a/usr.sbin/acme-client/Makefile
+++ b/usr.sbin/acme-client/Makefile
@@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.3 2016/08/31 22:28:23 florian Exp $
+# $OpenBSD: Makefile,v 1.4 2016/09/01 00:21:36 deraadt Exp $
PROG= acme-client
SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+= revokeproc.c rsa.c sandbox-pledge.c util-pledge.c util.c
+SRCS+= revokeproc.c rsa.c util.c
MAN= acme-client.1
LDADD= -ltls -lssl -lcrypto
diff --git a/usr.sbin/acme-client/acctproc.c b/usr.sbin/acme-client/acctproc.c
index dc1189cae8d..2559c43ede4 100644
--- a/usr.sbin/acme-client/acctproc.c
+++ b/usr.sbin/acme-client/acctproc.c
@@ -1,4 +1,4 @@
-/* $Id: acctproc.c,v 1.3 2016/08/31 23:52:30 benno Exp $ */
+/* $Id: acctproc.c,v 1.4 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -348,17 +348,12 @@ acctproc(int netsock, const char *acctkey, int newacct)
/* File-system, user, and sandbox jailing. */
- if ( ! sandbox_before())
- goto out;
-
ERR_load_crypto_strings();
- if ( ! dropfs(PATH_VAR_EMPTY))
- goto out;
- else if ( ! dropprivs())
- goto out;
- else if ( ! sandbox_after())
+ if (pledge("stdio", NULL) == -1) {
+ warn("pledge");
goto out;
+ }
/*
* Seed our PRNG with data from arc4random().
diff --git a/usr.sbin/acme-client/certproc.c b/usr.sbin/acme-client/certproc.c
index a75112b84ee..b005f647566 100644
--- a/usr.sbin/acme-client/certproc.c
+++ b/usr.sbin/acme-client/certproc.c
@@ -1,4 +1,4 @@
-/* $Id: certproc.c,v 1.3 2016/08/31 23:53:58 benno Exp $ */
+/* $Id: certproc.c,v 1.4 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -104,17 +104,12 @@ certproc(int netsock, int filesock)
/* File-system and sandbox jailing. */
- if ( ! sandbox_before())
- goto out;
-
ERR_load_crypto_strings();
- if ( ! dropfs(PATH_VAR_EMPTY))
- goto out;
- else if ( ! dropprivs())
- goto out;
- else if ( ! sandbox_after())
+ if (pledge("stdio", NULL) == -1) {
+ warn("pledge");
goto out;
+ }
/* Read what the netproc wants us to do. */
diff --git a/usr.sbin/acme-client/chngproc.c b/usr.sbin/acme-client/chngproc.c
index f7c11e2306c..55aae1cbe0c 100644
--- a/usr.sbin/acme-client/chngproc.c
+++ b/usr.sbin/acme-client/chngproc.c
@@ -1,4 +1,4 @@
-/* $Id: chngproc.c,v 1.2 2016/08/31 22:49:09 benno Exp $ */
+/* $Id: chngproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -47,14 +47,18 @@ chngproc(int netsock, const char *root, int remote)
fs = NULL;
fsz = 0;
- /* File-system and sandbox jailing. */
-
- if ( ! sandbox_before())
+ if (chroot(root) == -1) {
+ warn("chroot");
goto out;
- else if ( ! dropfs(root))
+ }
+ if (chdir("/") == -1) {
+ warn("chdir");
goto out;
- else if ( ! sandbox_after())
+ }
+ if (pledge("stdio cpath wpath", NULL) == -1) {
+ warn("pledge");
goto out;
+ }
/*
* Loop while we wait to get a thumbprint and token.
diff --git a/usr.sbin/acme-client/dnsproc.c b/usr.sbin/acme-client/dnsproc.c
index 50b808237a5..56c167eea92 100644
--- a/usr.sbin/acme-client/dnsproc.c
+++ b/usr.sbin/acme-client/dnsproc.c
@@ -1,4 +1,4 @@
-/* $Id: dnsproc.c,v 1.2 2016/08/31 22:49:09 benno Exp $ */
+/* $Id: dnsproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -127,23 +127,10 @@ dnsproc(int nfd)
look = last = NULL;
vsz = 0;
- /*
- * Why don't we chroot() here?
- * On OpenBSD, the pledge(2) takes care of our constraining the
- * environment to DNS resolution only, so the chroot(2) is
- * unnecessary.
- * On Mac OS X, we can't chroot(2): we'd need to have an mdns
- * responder thing in each jail.
- * On Linux, forget it. getaddrinfo(2) pulls on all sorts of
- * mystery meat.
- */
-
- if ( ! sandbox_before())
- goto out;
- else if ( ! dropprivs())
- goto out;
- else if ( ! sandbox_after())
+ if (pledge("stdio dns", NULL) == -1) {
+ warn("pledge");
goto out;
+ }
/*
* This is simple: just loop on a request operation, and each
diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h
index eed991c7a0d..c2085266874 100644
--- a/usr.sbin/acme-client/extern.h
+++ b/usr.sbin/acme-client/extern.h
@@ -1,4 +1,4 @@
-/* $Id: extern.h,v 1.2 2016/08/31 22:49:09 benno Exp $ */
+/* $Id: extern.h,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -245,13 +245,6 @@ char *json_fmt_thumb_rsa(const char *, const char *);
char *json_fmt_signed(const char *,
const char *, const char *, const char *);
-int dropprivs(void);
-int dropfs(const char *);
-int checkprivs(void);
-
-int sandbox_after(void);
-int sandbox_before(void);
-
/*
* Should we print debugging messages?
*/
diff --git a/usr.sbin/acme-client/fileproc.c b/usr.sbin/acme-client/fileproc.c
index 29b681fa2dd..20da2381b7c 100644
--- a/usr.sbin/acme-client/fileproc.c
+++ b/usr.sbin/acme-client/fileproc.c
@@ -1,4 +1,4 @@
-/* $Id: fileproc.c,v 1.2 2016/08/31 23:00:17 benno Exp $ */
+/* $Id: fileproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -81,12 +81,23 @@ fileproc(int certsock, int backup, const char *certdir)
/* File-system and sandbox jailing. */
- if ( ! sandbox_before())
+ if (chroot(certdir) == -1) {
+ warn("chroot");
goto out;
- else if ( ! dropfs(certdir))
+ }
+ if (chdir("/") == -1) {
+ warn("chdir");
goto out;
- else if ( ! sandbox_after())
+ }
+
+ /*
+ * rpath and cpath for rename, wpath and cpath for
+ * writing to the temporary.
+ */
+ if (pledge("stdio cpath wpath rpath", NULL) == -1) {
+ warn("pledge");
goto out;
+ }
/* Read our operation. */
diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c
index 0013ce549cd..001064637a1 100644
--- a/usr.sbin/acme-client/keyproc.c
+++ b/usr.sbin/acme-client/keyproc.c
@@ -1,4 +1,4 @@
-/* $Id: keyproc.c,v 1.2 2016/08/31 23:25:10 benno Exp $ */
+/* $Id: keyproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -116,17 +116,12 @@ keyproc(int netsock, const char *keyfile,
/* File-system, user, and sandbox jail. */
- if ( ! sandbox_before())
- goto out;
-
ERR_load_crypto_strings();
- if ( ! dropfs(PATH_VAR_EMPTY))
- goto out;
- else if ( ! dropprivs())
- goto out;
- else if ( ! sandbox_after())
+ if (pledge("stdio", NULL) == -1) {
+ warn("pledge");
goto out;
+ }
/*
* Seed our PRNG with data from arc4random().
diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c
index a9e943208e7..9d26cc145fc 100644
--- a/usr.sbin/acme-client/main.c
+++ b/usr.sbin/acme-client/main.c
@@ -1,4 +1,4 @@
-/* $Id: main.c,v 1.5 2016/09/01 00:03:39 benno Exp $ */
+/* $Id: main.c,v 1.6 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -172,7 +172,7 @@ main(int argc, char *argv[])
argc--;
argv++;
- if ( ! checkprivs())
+ if ( getuid() != 0)
errx(EXIT_FAILURE, "must be run as root");
/*
@@ -437,14 +437,10 @@ main(int argc, char *argv[])
/* Jail: sandbox, file-system, user. */
- if ( ! sandbox_before())
- exit(EXIT_FAILURE);
- else if ( ! dropfs(PATH_VAR_EMPTY))
- exit(EXIT_FAILURE);
- else if ( ! dropprivs())
- exit(EXIT_FAILURE);
- else if ( ! sandbox_after())
+ if (pledge("stdio", NULL) == -1) {
+ warn("pledge");
exit(EXIT_FAILURE);
+ }
/*
* Collect our subprocesses.
diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c
index 0a81f765a4d..9fe5453d420 100644
--- a/usr.sbin/acme-client/netproc.c
+++ b/usr.sbin/acme-client/netproc.c
@@ -1,4 +1,4 @@
-/* $Id: netproc.c,v 1.3 2016/08/31 23:36:16 benno Exp $ */
+/* $Id: netproc.c,v 1.4 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -600,16 +600,10 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
url = cert = thumb = NULL;
chngs = NULL;
- /* File-system, user, and sandbox jail. */
-
- if ( ! sandbox_before())
- goto out;
- else if ( ! dropfs(PATH_VAR_EMPTY))
- goto out;
- else if ( ! dropprivs())
- goto out;
- else if ( ! sandbox_after())
+ if (pledge("stdio inet", NULL) == -1) {
+ warn("pledge");
goto out;
+ }
/*
* Wait until the acctproc, keyproc, and revokeproc have started
diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c
index 20423ba8d16..b5189560f7f 100644
--- a/usr.sbin/acme-client/revokeproc.c
+++ b/usr.sbin/acme-client/revokeproc.c
@@ -1,4 +1,4 @@
-/* $Id: revokeproc.c,v 1.4 2016/08/31 23:41:23 benno Exp $ */
+/* $Id: revokeproc.c,v 1.5 2016/09/01 00:21:36 deraadt Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -141,17 +141,12 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
/* File-system and sandbox jailing. */
- if ( ! sandbox_before())
- goto out;
-
ERR_load_crypto_strings();
- if ( ! dropfs(PATH_VAR_EMPTY))
- goto out;
- else if ( ! dropprivs())
- goto out;
- else if ( ! sandbox_after())
+ if (pledge("stdio", NULL) == -1) {
+ warn("pledge");
goto out;
+ }
/*
* If we couldn't open the certificate, it doesn't exist so we
diff --git a/usr.sbin/acme-client/sandbox-pledge.c b/usr.sbin/acme-client/sandbox-pledge.c
deleted file mode 100644
index 88b5a263a9c..00000000000
--- a/usr.sbin/acme-client/sandbox-pledge.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/* $Id: sandbox-pledge.c,v 1.2 2016/08/31 23:46:34 benno Exp $ */
-/*
- * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#ifdef HAVE_CONFIG_H
-# include "config.h"
-#endif
-
-#include <err.h>
-#include <errno.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "extern.h"
-
-int
-sandbox_before(void)
-{
-
- return(1);
-}
-
-int
-sandbox_after(void)
-{
-
- switch (proccomp) {
- case (COMP_ACCOUNT):
- case (COMP_CERT):
- case (COMP_KEY):
- case (COMP_REVOKE):
- case (COMP__MAX):
- if (-1 == pledge("stdio", NULL)) {
- warn("pledge");
- return(0);
- }
- break;
- case (COMP_CHALLENGE):
- if (-1 == pledge("stdio cpath wpath", NULL)) {
- warn("pledge");
- return(0);
- }
- break;
- case (COMP_DNS):
- if (-1 == pledge("stdio dns", NULL)) {
- warn("pledge");
- return(0);
- }
- break;
- case (COMP_FILE):
- /*
- * Rpath and cpath for rename, wpath and cpath for
- * writing to the temporary.
- */
- if (-1 == pledge("stdio cpath wpath rpath", NULL)) {
- warn("pledge");
- return(0);
- }
- break;
- case (COMP_NET):
- if (-1 == pledge("stdio inet", NULL)) {
- warn("pledge");
- return(0);
- }
- break;
- }
- return(1);
-}
diff --git a/usr.sbin/acme-client/util-pledge.c b/usr.sbin/acme-client/util-pledge.c
deleted file mode 100644
index 6b5e78d9b34..00000000000
--- a/usr.sbin/acme-client/util-pledge.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/* $Id: util-pledge.c,v 1.1 2016/08/31 22:01:42 florian Exp $ */
-/*
- * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#ifdef HAVE_CONFIG_H
-# include "config.h"
-#endif
-
-#include <err.h>
-#include <unistd.h>
-
-#include "extern.h"
-
-int
-dropfs(const char *path)
-{
-
- /*
- * Only the challenge and file processes touch files within the
- * pledge, so only these need to be chrooted.
- */
-
- if (COMP_CHALLENGE != proccomp &&
- COMP_FILE != proccomp)
- return(1);
-
- if (-1 == chroot(path))
- warn("%s: chroot", path);
- else if (-1 == chdir("/"))
- warn("/: chdir");
- else
- return(1);
-
- return(0);
-}
-
-int
-checkprivs(void)
-{
-
- /* Needed for chroot(2) calls in dropfs(). */
-
- return(0 == getuid());
-}
-
-int
-dropprivs(void)
-{
-
- /* Don't need to drop privileges like this. */
-
- return(1);
-}