
Secure CGI Applications in C on OpenBSD - hazbo
https://kristaps.bsd.lv/absdcon2016/
======
tannhaeuser
What does pledge() do here? Apache usually drops to nobody, daemon, or www (eg
as a user without privilege on the host at all) after opening a socket. Does
OpenBSD's httpd run as root so it can invoke a low-privilege EUID request
process? Because running as nobody doesn't include becoming a different user,
unless calling a setuid binary, which is kindof possible, if awkward, with
Apache (eg. because you'll want that only after auth, hence with a setuid
program matching the authenticated client).

~~~
Mordak
pledge[1] allows a process to promise the kernel that it will restrict itself
to a given subset of system calls. So you call pledge() with the set of
syscalls you need, and then if your application does something else then it
will be killed.

The OpenBSD httpd is privilege separated and chroot()ed, and each component
only pledge()s the syscalls it needs. This reduces to just the syscalls needed
to do filesystem operations inside the chroot, log, and talk on the internet.
In the CGI context, if your application only needs to read / write to stdio to
talk to httpd, then you can limit yourself to just stdio, or if it only needs
to read files then it can limit itself to just those syscalls. If your
application does something outside of your pledge() (eg. exec(), because it
got pwned) then the kernel will kill it.

1\. [https://man.openbsd.org/pledge](https://man.openbsd.org/pledge)

