Friday, June 01, 2018

hitch: Fix permissions, add cpath promise for OCSP worker

Noticed by Maxim Tarasov <mu@magi.net.ru>, /var/hitch/ should be owned
by _hitch not root.

I failed to spot this as the directory had proper ownership and
permissions on my system already during porting and testing.

Hitch may also create new OCSP staples, I only tested and run with
existing ones or none at all.

He already confirmed that this diff fixes both issues in his setup.

OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/hitch/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- Makefile 8 May 2018 23:22:51 -0000 1.2
+++ Makefile 1 Jun 2018 18:35:18 -0000
@@ -3,7 +3,7 @@
COMMENT = libev-based high performance TLS proxy

DISTNAME = hitch-1.4.8
-REVISION = 0
+REVISION = 1

CATEGORIES = security

Index: patches/patch-src_hitch_c
===================================================================
RCS file: /cvs/ports/security/hitch/patches/patch-src_hitch_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-src_hitch_c
--- patches/patch-src_hitch_c 8 May 2018 23:22:51 -0000 1.2
+++ patches/patch-src_hitch_c 1 Jun 2018 19:20:41 -0000
@@ -23,7 +23,7 @@ Index: src/hitch.c
"Refusing to run workers as root.\n");
_exit(1);
}
-+ if (pledge("stdio rpath wpath inet dns", NULL) == -1)
++ if (pledge("stdio rpath wpath cpath inet dns", NULL) == -1)
+ fail("pledge");
+ LOGL("{core} pledge called (ocsp)\n");
handle_ocsp_task();
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/hitch/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- pkg/PLIST 1 May 2018 13:43:59 -0000 1.1.1.1
+++ pkg/PLIST 1 Jun 2018 20:18:51 -0000
@@ -1,6 +1,14 @@
@comment $OpenBSD: PLIST,v 1.1.1.1 2018/05/01 13:43:59 kn Exp $
@newgroup _hitch:807
@newuser _hitch:807:_hitch:daemon:Hitch TLS proxy:/var/hitch:/sbin/nologin
+@rcscript ${RCDIR}/hitch
+@mode 700
+@owner _hitch
+@group _hitch
+@sample ${LOCALSTATEDIR}/hitch/
+@mode
+@owner
+@group
@man man/man5/hitch.conf.5
@man man/man8/hitch.8
@bin sbin/hitch
@@ -15,6 +23,3 @@ share/doc/hitch/proxy-protocol.md
share/doc/hitch/vhosts.md
share/examples/hitch/
share/examples/hitch/hitch.conf.example
-@exec-add mkdir -p /var/hitch
-@extraunexec rm -rf /var/hitch
-@rcscript ${RCDIR}/hitch

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)