[monitoring-plugins] OpenBSD: pledge(2) some network-facing checks ...
GitHub
git at monitoring-plugins.org
Fri Feb 6 13:00:13 CET 2026
Module: monitoring-plugins
Branch: master
Commit: cef40299a93233f043f5b0821a9ad2c69dd612f7
Author: Alvar <post at 0x21.biz>
Committer: GitHub <noreply at github.com>
Date: Fri Feb 6 11:58:38 2026 +0000
URL: https://www.monitoring-plugins.org/repositories/monitoring-plugins/commit/?id=cef40299
OpenBSD: pledge(2) some network-facing checks (#2225)
OpenBSD's pledge(2) system call allows the current process to
self-restrict itself, being reduced to promised pledges. For example,
unless a process says it wants to write to files, it is not allowed to
do so any longer.
This change starts by calling pledge(2) in some network-facing checks,
removing the more dangerous privileges, such as executing other files.
My initial motivation came from check_icmp, being installed as a setuid
binary and (temporarily) running with root privileges. There, the
pledge(2) calls result in check_icmp to only being allowed to interact
with the network and to setuid(2) to the calling user later on.
Afterwards, I went through my most commonly used monitoring plugins
directly interacting with the network. Thus, I continued with
pledge(2)-ing check_curl - having a huge codebase and all -,
check_ntp_time, check_smtp, check_ssh, and check_tcp.
For most of those, the changes were quite similar: start with
network-friendly promises, parse the configuration, give up file access,
and proceed with the actual check.
---
plugins-root/check_icmp.c | 17 +++++++++++++++++
plugins/check_curl.c | 17 +++++++++++++++++
plugins/check_ntp_time.c | 12 ++++++++++++
plugins/check_smtp.c | 12 ++++++++++++
plugins/check_ssh.c | 12 ++++++++++++
plugins/check_tcp.c | 12 ++++++++++++
6 files changed, 82 insertions(+)
diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c
index e536e31c..1390a03e 100644
--- a/plugins-root/check_icmp.c
+++ b/plugins-root/check_icmp.c
@@ -812,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr, char *dst, socklen_t siz
}
int main(int argc, char **argv) {
+#ifdef __OpenBSD__
+ /* - rpath is required to read --extra-opts (given up later)
+ * - inet is required for sockets
+ * - dns is required for name lookups (given up later)
+ * - id is required for temporary privilege drops in configparsing and for
+ * permanent privilege dropping after opening the socket (given up later) */
+ pledge("stdio rpath inet dns id", NULL);
+#endif // __OpenBSD__
+
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
@@ -836,6 +845,10 @@ int main(int argc, char **argv) {
crash("failed to parse config");
}
+#ifdef __OpenBSD__
+ pledge("stdio inet dns id", NULL);
+#endif // __OpenBSD__
+
const check_icmp_config config = tmp_config.config;
if (config.output_format_is_set) {
@@ -898,6 +911,10 @@ int main(int argc, char **argv) {
return 1;
}
+#ifdef __OpenBSD__
+ pledge("stdio inet", NULL);
+#endif // __OpenBSD__
+
if (sockset.socket4) {
int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl));
if (debug) {
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index 1dec8a2a..19d36237 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -120,6 +120,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_
#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
int main(int argc, char **argv) {
+#ifdef __OpenBSD__
+ /* - rpath is required to read --extra-opts, CA and/or client certs
+ * - wpath is required to write --cookie-jar (possibly given up later)
+ * - inet is required for sockets
+ * - dns is required for name lookups */
+ pledge("stdio rpath wpath inet dns", NULL);
+#endif // __OpenBSD__
+
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
@@ -135,6 +143,15 @@ int main(int argc, char **argv) {
const check_curl_config config = tmp_config.config;
+#ifdef __OpenBSD__
+ if (!config.curl_config.cookie_jar_file) {
+ if (verbose >= 2) {
+ printf(_("* No \"--cookie-jar\" is used, giving up \"wpath\" pledge(2)\n"));
+ }
+ pledge("stdio rpath inet dns", NULL);
+ }
+#endif // __OpenBSD__
+
if (config.output_format_is_set) {
mp_set_format(config.output_format);
}
diff --git a/plugins/check_ntp_time.c b/plugins/check_ntp_time.c
index 9e0beb9c..afa6d16c 100644
--- a/plugins/check_ntp_time.c
+++ b/plugins/check_ntp_time.c
@@ -661,6 +661,14 @@ static check_ntp_time_config_wrapper process_arguments(int argc, char **argv) {
}
int main(int argc, char *argv[]) {
+#ifdef __OpenBSD__
+ /* - rpath is required to read --extra-opts (given up later)
+ * - inet is required for sockets
+ * - unix is required for Unix domain sockets
+ * - dns is required for name lookups */
+ pledge("stdio rpath inet unix dns", NULL);
+#endif // __OpenBSD__
+
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
@@ -674,6 +682,10 @@ int main(int argc, char *argv[]) {
usage4(_("Could not parse arguments"));
}
+#ifdef __OpenBSD__
+ pledge("stdio inet unix dns", NULL);
+#endif // __OpenBSD__
+
const check_ntp_time_config config = tmp_config.config;
if (config.output_format_is_set) {
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index e8c35f58..03335665 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -100,6 +100,14 @@ static int my_close(int /*socket_descriptor*/);
static int verbose = 0;
int main(int argc, char **argv) {
+#ifdef __OpenBSD__
+ /* - rpath is required to read --extra-opts (given up later)
+ * - inet is required for sockets
+ * - unix is required for Unix domain sockets
+ * - dns is required for name lookups */
+ pledge("stdio rpath inet unix dns", NULL);
+#endif // __OpenBSD__
+
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
@@ -113,6 +121,10 @@ int main(int argc, char **argv) {
usage4(_("Could not parse arguments"));
}
+#ifdef __OpenBSD__
+ pledge("stdio inet unix dns", NULL);
+#endif // __OpenBSD__
+
const check_smtp_config config = tmp_config.config;
if (config.output_format_is_set) {
diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c
index f6c8d551..84b70a53 100644
--- a/plugins/check_ssh.c
+++ b/plugins/check_ssh.c
@@ -61,6 +61,14 @@ static int ssh_connect(mp_check *overall, char *haddr, int hport, char *remote_v
char *remote_protocol);
int main(int argc, char **argv) {
+#ifdef __OpenBSD__
+ /* - rpath is required to read --extra-opts (given up later)
+ * - inet is required for sockets
+ * - unix is required for Unix domain sockets
+ * - dns is required for name lookups */
+ pledge("stdio rpath inet unix dns", NULL);
+#endif // __OpenBSD__
+
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
@@ -74,6 +82,10 @@ int main(int argc, char **argv) {
usage4(_("Could not parse arguments"));
}
+#ifdef __OpenBSD__
+ pledge("stdio inet unix dns", NULL);
+#endif // __OpenBSD__
+
check_ssh_config config = tmp_config.config;
mp_check overall = mp_check_init();
diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c
index 09806373..430f1218 100644
--- a/plugins/check_tcp.c
+++ b/plugins/check_tcp.c
@@ -89,6 +89,14 @@ const int DEFAULT_NNTPS_PORT = 563;
const int DEFAULT_CLAMD_PORT = 3310;
int main(int argc, char **argv) {
+#ifdef __OpenBSD__
+ /* - rpath is required to read --extra-opts (given up later)
+ * - inet is required for sockets
+ * - unix is required for Unix domain sockets
+ * - dns is required for name lookups */
+ pledge("stdio rpath inet unix dns", NULL);
+#endif // __OpenBSD__
+
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
@@ -216,6 +224,10 @@ int main(int argc, char **argv) {
usage4(_("Could not parse arguments"));
}
+#ifdef __OpenBSD__
+ pledge("stdio inet unix dns", NULL);
+#endif // __OpenBSD__
+
config = paw.config;
if (verbosity > 0) {
More information about the Commits
mailing list