From: Christopher Zimmermann Subject: Re: acme-client: add challenge hook to support dns-01 To: Florian Obser , tech@openbsd.org, Evan Silberman Date: Sun, 25 Feb 2024 07:54:49 +0100 On Sat, Feb 24, 2024 at 06:07:11PM -0700, Theo de Raadt wrote: >Christopher Zimmermann wrote: >> Privileges can now be dropped with this idiom: >> >> [ `/usr/bin/who -m |cut -d ' ' -f 1` == 'nobody' ] || >> exec /usr/bin/su -s /bin/sh nobody -s "$@" <"$0" > >Wow. Just wow. No way. That's the type of stuff people did >in 1999. > >These days, we build the minimal narrow layers of communication between >things, and we don't throw a shell script in there that uses "nobody" as >a safe UID (it is not a safe UID). Ok. I'd like to ask for some more advice on how to do this properly. I cannot see how the communication can get meaningfully narrower than 4 environment variables for input and an exit code for output. There is no parsing or interpreting going on in the hook nor in acme-client. So passing information via environment variables is fine, isn't it? The shell script is a real pain in the ass. I agree. The problem I tried to solve is how the hook itself could access the password and pass it safely to curl. That's why I did not start the hook with already dropped privileges. I see two ways to improve this: (A) don't use shell scripts. Use perl or a compiled C program as hook. They could do proper tight pledges. This felt like overkill to me. (B) Use a dedicated _acme user to run the hook. That way privilege dropping could be done within acme-client. The current hook interface would not change (much). I would prefer (A), but we can also do both. Christopher -- http://gmerlin.de OpenPGP: http://gmerlin.de/christopher.pub CB07 DA40 B0B6 571D 35E2 0DEF 87E2 92A7 13E5 DEE1