On Sat, Feb 24, 2024 at 06:07:11PM -0700, Theo de Raadt wrote:
>Christopher Zimmermann <chrisz@openbsd.org> wrote:
>> Privileges can now be dropped with this idiom:
>>
>> [ `/usr/bin/who -m |cut -d ' ' -f 1` == 'nobody' ] ||
>>   exec /usr/bin/su -s /bin/sh nobody -s "$@" <"$0"
>
>Wow.  Just wow.  No way.  That's the type of stuff people did
>in 1999.
>
>These days, we build the minimal narrow layers of communication between
>things, and we don't throw a shell script in there that uses "nobody" as
>a safe UID (it is not a safe UID).

Ok. I'd like to ask for some more advice on how to do this properly.

I cannot see how the communication can get meaningfully narrower than 4 
environment variables for input and an exit code for output. There is no 
parsing or interpreting going on in the hook nor in acme-client. So 
passing information via environment variables is fine, isn't it?

The shell script is a real pain in the ass. I agree. The problem I tried 
to solve is how the hook itself could access the password and pass it 
safely to curl. That's why I did not start the hook with already dropped 
privileges.

I see two ways to improve this:
(A) don't use shell scripts. Use perl or a compiled C program as hook.
     They could do proper tight pledges. This felt like overkill to me.
(B) Use a dedicated _acme user to run the hook. That way privilege
     dropping could be done within acme-client.

The current hook interface would not change (much).
I would prefer (A), but we can also do both.


Christopher

-- 
http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
CB07 DA40 B0B6 571D 35E2  0DEF 87E2 92A7 13E5 DEE1