Hi Andrew, sorry for late reply: I was short on free time and also wanted to take some time to think about this
On Sun, 19 Jan 2025 19:31:55 +0000 Andrew Bower <[email protected]> wrote: > Hey Lorenzo, > > Would you consider adding a script to your runit package to help > runscripts benefit from my new xchpst hardening tool while falling > back to chpst-compatible options when it isn't installed, please? thanks for your work on this tool, I agree it would great to have hardening as an available option for runit :) > [...] > [dpkg-divert patch] > [...] > [alternatives patch] I'm not sure we I will be able to get this right at the first attempt, but let's see: I prefer to start with something simpler, I'm not sure it will work but: I had a look at runscripts and chpst is rarely used, often with one option like 'chpst -uuser' or 'chpst -mNNN' or the like, so for instance (stealing the idea from the power-profile-daemon chatting we had), * on the runscript side, in the exec line, we could do something like [if chpst is not used] exec ${XCHPST:-} /bin/to/exec [if chpst is used, we hardcode it as fallback] exec ${XCHPST:-chpst -u bob} /bin/to/exec now we need something to build $XCHPST when appropriate, what about invoke-run? * in invoke-run we could do something like (not tested) (it should probably no longer set -u) XCHPST="" if [ -x /usr/bin/xchpst ]; then if [ -r "${PWD}/xchopts" ] ; then export XCHPST="xchpst $(cat ${PWD}/xchopts)" fi fi some thoughts (if it works): (positive aspects) xchpst command line can be quite long, using the ${XCHPST:-} variable keeps the exec line of runscripts more compact (this is just my personal preference, not really a blocker); this way hardening can be enabled globally by installing xchpst, and it can be disabled for a single service by doing something (to be defined) on the xchopts file; it can be told by looking for the xchopts file if a service directory has support for hardening (and xchpst options can be extracted as well); (negative aspects) we add an XCHPST variable to the service environment, not a good thing but hopefully the name is specific enough that it doesn't trigger a behavior change in any existing daemon the command line is less transparent to the user: people will ask " where does this XCHPST variable comes from?", "what is for?", as they probably ask how files in /etc/default are sourced, how the starting message is printed and so on, they will really have to look at invoke-run manpage.. thoughts on the above? Cheers, Lorenzo
