From cef40299a93233f043f5b0821a9ad2c69dd612f7 Mon Sep 17 00:00:00 2001 From: Alvar Date: Fri, 6 Feb 2026 11:58:38 +0000 Subject: OpenBSD: pledge(2) some network-facing checks (#2225) OpenBSD's pledge(2) system call allows the current process to self-restrict itself, being reduced to promised pledges. For example, unless a process says it wants to write to files, it is not allowed to do so any longer. This change starts by calling pledge(2) in some network-facing checks, removing the more dangerous privileges, such as executing other files. My initial motivation came from check_icmp, being installed as a setuid binary and (temporarily) running with root privileges. There, the pledge(2) calls result in check_icmp to only being allowed to interact with the network and to setuid(2) to the calling user later on. Afterwards, I went through my most commonly used monitoring plugins directly interacting with the network. Thus, I continued with pledge(2)-ing check_curl - having a huge codebase and all -, check_ntp_time, check_smtp, check_ssh, and check_tcp. For most of those, the changes were quite similar: start with network-friendly promises, parse the configuration, give up file access, and proceed with the actual check. --- plugins-root/check_icmp.c | 17 +++++++++++++++++ plugins/check_curl.c | 17 +++++++++++++++++ plugins/check_ntp_time.c | 12 ++++++++++++ plugins/check_smtp.c | 12 ++++++++++++ plugins/check_ssh.c | 12 ++++++++++++ plugins/check_tcp.c | 12 ++++++++++++ 6 files changed, 82 insertions(+) diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c index e536e31c..1390a03e 100644 --- a/plugins-root/check_icmp.c +++ b/plugins-root/check_icmp.c @@ -812,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr, char *dst, socklen_t siz } int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - dns is required for name lookups (given up later) + * - id is required for temporary privilege drops in configparsing and for + * permanent privilege dropping after opening the socket (given up later) */ + pledge("stdio rpath inet dns id", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -836,6 +845,10 @@ int main(int argc, char **argv) { crash("failed to parse config"); } +#ifdef __OpenBSD__ + pledge("stdio inet dns id", NULL); +#endif // __OpenBSD__ + const check_icmp_config config = tmp_config.config; if (config.output_format_is_set) { @@ -898,6 +911,10 @@ int main(int argc, char **argv) { return 1; } +#ifdef __OpenBSD__ + pledge("stdio inet", NULL); +#endif // __OpenBSD__ + if (sockset.socket4) { int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl)); if (debug) { diff --git a/plugins/check_curl.c b/plugins/check_curl.c index 1dec8a2a..19d36237 100644 --- a/plugins/check_curl.c +++ b/plugins/check_curl.c @@ -120,6 +120,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_ #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts, CA and/or client certs + * - wpath is required to write --cookie-jar (possibly given up later) + * - inet is required for sockets + * - dns is required for name lookups */ + pledge("stdio rpath wpath inet dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -135,6 +143,15 @@ int main(int argc, char **argv) { const check_curl_config config = tmp_config.config; +#ifdef __OpenBSD__ + if (!config.curl_config.cookie_jar_file) { + if (verbose >= 2) { + printf(_("* No \"--cookie-jar\" is used, giving up \"wpath\" pledge(2)\n")); + } + pledge("stdio rpath inet dns", NULL); + } +#endif // __OpenBSD__ + if (config.output_format_is_set) { mp_set_format(config.output_format); } diff --git a/plugins/check_ntp_time.c b/plugins/check_ntp_time.c index 9e0beb9c..afa6d16c 100644 --- a/plugins/check_ntp_time.c +++ b/plugins/check_ntp_time.c @@ -661,6 +661,14 @@ static check_ntp_time_config_wrapper process_arguments(int argc, char **argv) { } int main(int argc, char *argv[]) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - unix is required for Unix domain sockets + * - dns is required for name lookups */ + pledge("stdio rpath inet unix dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -674,6 +682,10 @@ int main(int argc, char *argv[]) { usage4(_("Could not parse arguments")); } +#ifdef __OpenBSD__ + pledge("stdio inet unix dns", NULL); +#endif // __OpenBSD__ + const check_ntp_time_config config = tmp_config.config; if (config.output_format_is_set) { diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index e8c35f58..03335665 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -100,6 +100,14 @@ static int my_close(int /*socket_descriptor*/); static int verbose = 0; int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - unix is required for Unix domain sockets + * - dns is required for name lookups */ + pledge("stdio rpath inet unix dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -113,6 +121,10 @@ int main(int argc, char **argv) { usage4(_("Could not parse arguments")); } +#ifdef __OpenBSD__ + pledge("stdio inet unix dns", NULL); +#endif // __OpenBSD__ + const check_smtp_config config = tmp_config.config; if (config.output_format_is_set) { diff --git a/plugins/check_ssh.c b/plugins/check_ssh.c index f6c8d551..84b70a53 100644 --- a/plugins/check_ssh.c +++ b/plugins/check_ssh.c @@ -61,6 +61,14 @@ static int ssh_connect(mp_check *overall, char *haddr, int hport, char *remote_v char *remote_protocol); int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - unix is required for Unix domain sockets + * - dns is required for name lookups */ + pledge("stdio rpath inet unix dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -74,6 +82,10 @@ int main(int argc, char **argv) { usage4(_("Could not parse arguments")); } +#ifdef __OpenBSD__ + pledge("stdio inet unix dns", NULL); +#endif // __OpenBSD__ + check_ssh_config config = tmp_config.config; mp_check overall = mp_check_init(); diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index 09806373..430f1218 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c @@ -89,6 +89,14 @@ const int DEFAULT_NNTPS_PORT = 563; const int DEFAULT_CLAMD_PORT = 3310; int main(int argc, char **argv) { +#ifdef __OpenBSD__ + /* - rpath is required to read --extra-opts (given up later) + * - inet is required for sockets + * - unix is required for Unix domain sockets + * - dns is required for name lookups */ + pledge("stdio rpath inet unix dns", NULL); +#endif // __OpenBSD__ + setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); @@ -216,6 +224,10 @@ int main(int argc, char **argv) { usage4(_("Could not parse arguments")); } +#ifdef __OpenBSD__ + pledge("stdio inet unix dns", NULL); +#endif // __OpenBSD__ + config = paw.config; if (verbosity > 0) { -- cgit v1.2.3-74-g34f1