💾 Archived View for kvothe.one › gemlog › 2020-09-17.gmi captured on 2020-09-24 at 00:47:37. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
This week, I put together a pull request on solderpunk's gemini server, molly brown:
https://tildegit.org/solderpunk/molly-brown/pulls/13
The long and short of it is that I added a function, `enableSecurityRestrictions()`, that is implemented by security.go as a no-op on most operating systems and by security_openbsd.go when molly brown is compiled on an OpenBSD system. This, in turn, sandboxes the molly brown server before it begins accepting client connections.
It uses the unveil(2) system call to restrict the files it can read to the directories configured in the molly brown config file. On most molly brown installs, this basically allows molly brown read access to a single directory. Read calls elsewhere will fail with EACCES. Write calls will always fail, except for the access.log and error.log that molly brown already opened.
It also uses the pledge(2) system call to restrict the available system calls to molly brown. For a system that doesn't include a configured CGI directory, for example, an attempt to spawn a new process will result in the OS killing the molly brown server with SIGABRT.
If a CGI directory or files are specified, molly brown will also ask for exec permissions with pledge(2) and will unveil(2) those CGI directories or files with execute permissions.
The only extra caveat with these additional security features is that CGI processes spawned by molly brown are unrestricted by default. For the security-conscious CGI developer, many languages also have pledge() and unveil() bindings. They would, in turn, restrict themselves to the minimal permissions necessary before handling user input.
All in all, adding these security features to the OpenBSD implementation of molly brown was pretty easy! It took a little time to understand how to conditionally compile in go, a bit of trial and error to test out which permissions molly brown needs to work normally, and a little experimentation to see how OpenBSD enforces these self-imposed security restrictions when molly brown tries to do something it doesn't have permission to do.
It was a rather enjoyable learning experience, all in all. While I don't profess to have hardened things to be impenetrable, it does give me some small comfort to have dialed in the sandbox in which it runs. For now, KVOTHE-ONE may be the only gemini server running these extra security features, but hopefully they make it into the main molly brown repo for anyone to use!
Until next time, be well!
kvothe.