Enclosed is a diff for net/igmpproxy, which puts igmpproxy in an
unprivileged chroot after startup. I'm currently discussing a more
extensive diff with upstream.
We normally do not add features to our ports, but I was wondering if
this addition makes sense to commit as it increases security a bit.
Run tested on amd64 in combination with an iptv setup.
While here add daemon_flags="${SYSCONFDIR}/igmpproxy.conf" to
igmpproxy.rc as igmpproxy will complain if no configuration file is
given.
Thoughts/tests/comments/OK?
diff --git infrastructure/db/user.list infrastructure/db/user.list
index bfb3d70510e..f2eb6a60b8d 100644
--- infrastructure/db/user.list
+++ infrastructure/db/user.list
@@ -376,3 +376,4 @@ id user group port
865 _vger _vger net/vger
866 _navidrome _navidrome audio/navidrome
867 _notify_push www/nextcloud_notify_push
+868 _igmpproxy _igmpproxy net/igmpproxy
diff --git net/igmpproxy/Makefile net/igmpproxy/Makefile
index f87a2b4fc45..6d971d68749 100644
--- net/igmpproxy/Makefile
+++ net/igmpproxy/Makefile
@@ -3,7 +3,7 @@
COMMENT = multicast router utilizing IGMP forwarding
VERSION = 0.3
-REVISION = 0
+REVISION = 1
DISTNAME = igmpproxy-${VERSION}
CATEGORIES = net
MASTER_SITES = https://github.com/pali/igmpproxy/releases/download/${VERSION}/
diff --git net/igmpproxy/patches/patch-src_igmpproxy_c net/igmpproxy/patches/patch-src_igmpproxy_c
index 021692a14b3..a4aee9e92f0 100644
--- net/igmpproxy/patches/patch-src_igmpproxy_c
+++ net/igmpproxy/patches/patch-src_igmpproxy_c
@@ -3,7 +3,7 @@ $OpenBSD: patch-src_igmpproxy_c,v 1.1 2021/01/12 17:59:49 sthen Exp $
Index: src/igmpproxy.c
--- src/igmpproxy.c.orig
+++ src/igmpproxy.c
-@@ -37,13 +37,10 @@
+@@ -37,13 +37,11 @@
* February 2005 - Johnny Egeland
*/
@@ -14,12 +14,23 @@ Index: src/igmpproxy.c
-
#include "igmpproxy.h"
++#include <pwd.h>
+#include <sys/sysctl.h>
+
static const char Usage[] =
"Usage: igmpproxy [-h] [-n] [-d] [-v [-v]] <configfile>\n"
"\n"
-@@ -123,6 +120,25 @@ int main( int ArgCn, char *ArgVc[] ) {
+@@ -68,6 +66,9 @@ static int sighandled = 0;
+ #define GOT_SIGUSR1 0x04
+ #define GOT_SIGUSR2 0x08
+
++#define CHROOT_DIR "/var/empty"
++#define NOPRIV_USER "_igmpproxy"
++
+ // Holds the indeces of the upstream IF...
+ int upStreamIfIdx[MAX_UPS_VIFS];
+
+@@ -123,6 +124,25 @@ int main( int ArgCn, char *ArgVc[] ) {
openlog("igmpproxy", LOG_PID, LOG_USER);
@@ -45,25 +56,42 @@ Index: src/igmpproxy.c
// Write debug notice with file path...
my_log(LOG_DEBUG, 0, "Searching for config file at '%s'" , configFilePath);
-@@ -142,16 +158,8 @@ int main( int ArgCn, char *ArgVc[] ) {
+@@ -140,18 +160,25 @@ int main( int ArgCn, char *ArgVc[] ) {
+ break;
+ }
- if ( !NotAsDaemon ) {
+- if ( !NotAsDaemon ) {
++ // Drop privileges
++ {
++ struct passwd *pw;
- // Only daemon goes past this line...
- if (fork()) exit(0);
--
++ pw = getpwnam(NOPRIV_USER);
++ if (pw == NULL)
++ my_log(LOG_ERR, 0, "unknown user %s", NOPRIV_USER);
+
- // Detach daemon from terminal
- if ( close( 0 ) < 0 || close( 1 ) < 0 || close( 2 ) < 0
- || open( "/dev/null", 0 ) != 0 || dup2( 0, 1 ) < 0 || dup2( 0, 2 ) < 0
- || setpgid( 0, 0 ) < 0
- ) {
++ if (chroot(CHROOT_DIR) != 0 || chdir("/") != 0 ||
++ setgroups(1, &pw->pw_gid) != 0 ||
++ setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0 ||
++ setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
++ my_log(LOG_ERR, 0, "cannot drop privileges");
++ }
++
++ if ( !NotAsDaemon ) {
++
+ if ( daemon(1, 0 ) < 0 )
my_log( LOG_ERR, errno, "failed to detach daemon" );
- }
}
// Go to the main loop.
-@@ -207,6 +215,8 @@ int igmpProxyInit(void) {
+@@ -207,6 +234,8 @@ int igmpProxyInit(void) {
}
for ( Ix = 0; (Dp = getIfByIx(Ix)); Ix++ ) {
diff --git net/igmpproxy/pkg/PLIST net/igmpproxy/pkg/PLIST
index 1cbe5a08909..32ebfcdd078 100644
--- net/igmpproxy/pkg/PLIST
+++ net/igmpproxy/pkg/PLIST
@@ -1,4 +1,6 @@
@comment $OpenBSD: PLIST,v 1.5 2021/01/12 17:59:50 sthen Exp $
+@newgroup _igmpproxy:868
+@newuser _igmpproxy:868:868:daemon:IGMP multicast routing daemon:/var/empty:/sbin/nologin
@rcscript ${RCDIR}/igmpproxy
@man man/man5/igmpproxy.conf.5
@man man/man8/igmpproxy.8
diff --git net/igmpproxy/pkg/igmpproxy.rc net/igmpproxy/pkg/igmpproxy.rc
index f4366b88351..3718a74d8a2 100644
--- net/igmpproxy/pkg/igmpproxy.rc
+++ net/igmpproxy/pkg/igmpproxy.rc
@@ -3,6 +3,7 @@
# $OpenBSD: igmpproxy.rc,v 1.2 2018/01/11 19:27:05 rpe Exp $
daemon="${TRUEPREFIX}/sbin/igmpproxy"
+daemon_flags="${SYSCONFDIR}/igmpproxy.conf"
. /etc/rc.d/rc.subr
No comments:
Post a Comment