diff options
| author | Alvar <post@0x21.biz> | 2026-02-06 11:58:38 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-02-06 12:58:38 +0100 |
| commit | cef40299a93233f043f5b0821a9ad2c69dd612f7 (patch) | |
| tree | b95f8b83f49cf3fc811c19d5bf9e02f2f4e232c2 /plugins/check_curl.c | |
| parent | fe4c82ea6fe37ef24d1726ebe83fac3e2bd581fe (diff) | |
| download | monitoring-plugins-cef40299a93233f043f5b0821a9ad2c69dd612f7.tar.gz | |
OpenBSD: pledge(2) some network-facing checks (#2225)
OpenBSD's pledge(2) system call allows the current process to
self-restrict itself, being reduced to promised pledges. For example,
unless a process says it wants to write to files, it is not allowed to
do so any longer.
This change starts by calling pledge(2) in some network-facing checks,
removing the more dangerous privileges, such as executing other files.
My initial motivation came from check_icmp, being installed as a setuid
binary and (temporarily) running with root privileges. There, the
pledge(2) calls result in check_icmp to only being allowed to interact
with the network and to setuid(2) to the calling user later on.
Afterwards, I went through my most commonly used monitoring plugins
directly interacting with the network. Thus, I continued with
pledge(2)-ing check_curl - having a huge codebase and all -,
check_ntp_time, check_smtp, check_ssh, and check_tcp.
For most of those, the changes were quite similar: start with
network-friendly promises, parse the configuration, give up file access,
and proceed with the actual check.
Diffstat (limited to 'plugins/check_curl.c')
| -rw-r--r-- | plugins/check_curl.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 1dec8a2a..19d36237 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c | |||
| @@ -120,6 +120,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_ | |||
| 120 | #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ | 120 | #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ |
| 121 | 121 | ||
| 122 | int main(int argc, char **argv) { | 122 | int main(int argc, char **argv) { |
| 123 | #ifdef __OpenBSD__ | ||
| 124 | /* - rpath is required to read --extra-opts, CA and/or client certs | ||
| 125 | * - wpath is required to write --cookie-jar (possibly given up later) | ||
| 126 | * - inet is required for sockets | ||
| 127 | * - dns is required for name lookups */ | ||
| 128 | pledge("stdio rpath wpath inet dns", NULL); | ||
| 129 | #endif // __OpenBSD__ | ||
| 130 | |||
| 123 | setlocale(LC_ALL, ""); | 131 | setlocale(LC_ALL, ""); |
| 124 | bindtextdomain(PACKAGE, LOCALEDIR); | 132 | bindtextdomain(PACKAGE, LOCALEDIR); |
| 125 | textdomain(PACKAGE); | 133 | textdomain(PACKAGE); |
| @@ -135,6 +143,15 @@ int main(int argc, char **argv) { | |||
| 135 | 143 | ||
| 136 | const check_curl_config config = tmp_config.config; | 144 | const check_curl_config config = tmp_config.config; |
| 137 | 145 | ||
| 146 | #ifdef __OpenBSD__ | ||
| 147 | if (!config.curl_config.cookie_jar_file) { | ||
| 148 | if (verbose >= 2) { | ||
| 149 | printf(_("* No \"--cookie-jar\" is used, giving up \"wpath\" pledge(2)\n")); | ||
| 150 | } | ||
| 151 | pledge("stdio rpath inet dns", NULL); | ||
| 152 | } | ||
| 153 | #endif // __OpenBSD__ | ||
| 154 | |||
| 138 | if (config.output_format_is_set) { | 155 | if (config.output_format_is_set) { |
| 139 | mp_set_format(config.output_format); | 156 | mp_set_format(config.output_format); |
| 140 | } | 157 | } |