pkg icon indicating copy to clipboard operation
pkg copied to clipboard

Published 20 hours ago verified publisher icon freebsd

Introduce `--without-procctl` to explicitly disable procctl hardening

Open rcmcdonald91 opened this issue 2 years ago • 7 comments

This knob explicitly disables procctl hardening support on platforms that provide it (i.e. FreeBSD). This build option is necessary in order for child processes spawned by scripts to be reparented to the system default repear (init) instead of being explicitly killed. Under normal circumstances pkg should not be starting long-lived processes. This is a nice-to-have knob for projects that would like to use the pkg infrastructure and need a way to restart daemons, etc.

If this is accepted, we will also want to expose this knob in the FreeBSD port as well.

rcmcdonald91 avatar Apr 10 '23 15:04 rcmcdonald91

This ended up with an extra commit that I don't think you intended, the first just removes a line that the second re-adds. You should git rebase -i HEAD~2 this branch and squash the second into the first.

kevans91 avatar Apr 10 '23 16:04 kevans91

oooof thanks, fixed.

rcmcdonald91 avatar Apr 10 '23 16:04 rcmcdonald91

There is an option for pkg to restart the daemons: HANDLE_RC_SCRIPTS which imho should end up becoming a trigger that react on rc.d addition.

Isn't it enough?

If we ever end up removing procctl I would perfer a runtime option (aka something in pkg.conf) rather that a build time one.

bapt avatar Apr 19 '23 07:04 bapt

There is an option for pkg to restart the daemons: HANDLE_RC_SCRIPTS which imho should end up becoming a trigger that react on rc.d addition.

Isn't it enough?

If we ever end up removing procctl I would perfer a runtime option (aka something in pkg.conf) rather that a build time one.

Hi,

No it isn't enough unfortunately, at least not without significant work.

I could implement this as a pkg.conf option and resubmit

rcmcdonald91 avatar Jul 16 '23 02:07 rcmcdonald91

can you briefly explain what's currently missing from HANDLE_RC_SCRIPTS?

igalic avatar Jul 16 '23 07:07 igalic

pfSense uses pkg scripts to execute custom code which in turn restarts services during post-install. Yes, this is a bit unconventional, but it is what it is... pfSense is a very old codebase. Furthermore, pfSense uses a custom rc system so HANDLE_RC_SCRIPTS is insufficient for us. We carry the above patch internally to disable procctl, though having a runtime option would be useful

rcmcdonald91 avatar Jul 16 '23 11:07 rcmcdonald91

to be honnest the best and the safest it so have a trigger which executes when the whole transaction is over, a trigger that looks for rc.d modification.

It will work out of box, will be safer than the "in transaction" mode which could end up trying to restart daemon for which some plugins will be updated only later in the transaction "hello dovecot".

and it does not require any work on pkg.

bapt avatar Jul 16 '23 13:07 bapt