Christopher Zimmermann <chrisz@openbsd.org> wrote:

> On Sat, Feb 24, 2024 at 06:07:11PM -0700, Theo de Raadt wrote:
> >Christopher Zimmermann <chrisz@openbsd.org> wrote:
> >> Privileges can now be dropped with this idiom:
> >>
> >> [ `/usr/bin/who -m |cut -d ' ' -f 1` == 'nobody' ] ||
> >>   exec /usr/bin/su -s /bin/sh nobody -s "$@" <"$0"
> >
> >Wow.  Just wow.  No way.  That's the type of stuff people did
> >in 1999.
> >
> >These days, we build the minimal narrow layers of communication between
> >things, and we don't throw a shell script in there that uses "nobody" as
> >a safe UID (it is not a safe UID).
> 
> Ok. I'd like to ask for some more advice on how to do this properly.
> 
> I cannot see how the communication can get meaningfully narrower than
> 4 environment variables for input and an exit code for output. There
> is no parsing or interpreting going on in the hook nor in
> acme-client. So passing information via environment variables is fine,
> isn't it?

No.

> The shell script is a real pain in the ass. I agree. The problem I
> tried to solve is how the hook itself could access the password and
> pass it safely to curl. That's why I did not start the hook with
> already dropped privileges.

It is not how we do things.

> I see two ways to improve this:
> (A) don't use shell scripts. Use perl or a compiled C program as hook.
>     They could do proper tight pledges. This felt like overkill to me.
> (B) Use a dedicated _acme user to run the hook. That way privilege
>     dropping could be done within acme-client.
> 
> The current hook interface would not change (much).
> I would prefer (A), but we can also do both.

Your proposal is a non-starter.  It is richer than it needs to be.
We never do that.

It is entirely the opposite of what our daemons do.  If we can't
do it right, we don't do it until we figure out a way to do it right.