about summary refs log tree commit diff
Commit message (Collapse)AuthorAge
* Attempt to keep "security" in README accurateJune McEnroe2021-07-13
| | | | It's a short summary trying to cover different systems...
* OpenBSD: merge unveil and pledge logic a bitKlemens Nanni2021-07-13
| | | | | | | This reads somewhat clearer as code is grouped by features instead of security mechanisms by simply merging identical tests/conditions. No functional change.
* OpenBSD: unveil logs regardless of restrict modeKlemens Nanni2021-07-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Simplify logic and decouple the two features such that the code gets even more self-ducumenting. Previously `catgirl -R -l' would never unveil and therefore "proc exec" could execute arbitrary paths without "rpath" as is usual unveil/pledge semantic. Now that `catgirl -l' alone triggers unveil(2), previous "proc exec" alone is not enough since the first unveil() hides everything else from filesystem; unveil all of root executable-only in order to restore non-restrict mode's visibility. This leaves yields distinct cases wrt. filesystem visibility (hoisted save file functionality excluded): 1. restrict on, log off: no access 2. restrict on, log on : logdir write/create 3. restrict off, log off: all exec-only 4. restrict off, log on : logdir write/create, all else exec-only In the first case `unveil("/", "")' could be used but with no benefit as the later lack of "rpath wpath cpath", i.e. filesystem access is revoked entirely by pledge alone already. Practically, this does not change functionality but improves correctness and readability.
* Save invited channel for /joinJune McEnroe2021-07-02
|
* Move security to the features listJune McEnroe2021-06-28
| | | | | The restrict option now enables real sandboxing on the two main target systems.
* OpenBSD: unveil the log directory specificallyJune McEnroe2021-06-28
| | | | | The call to logOpen() will have already created the directory. Still use dataMkdir() as a convenient way to get the created path.
* FreeBSD: Use capsicum_helpers.hJune McEnroe2021-06-28
|
* Set MANDIR in chrootJune McEnroe2021-06-25
|
* FreeBSD: Limit rights on log directoryJune McEnroe2021-06-25
|
* FreeBSD: Limit rights on save fileJune McEnroe2021-06-25
|
* FreeBSD: Limit rights on stdio and socketJune McEnroe2021-06-25
|
* Remove explicit tls_handshake(3) from ircConnectJune McEnroe2021-06-25
| | | | | | The first call to ircFormat, which calls tls_write(3) in turn, will perform the handshake anyway. This way the handshake happens after the final pledge(2) call.
* Move setting CLOEXEC on socket to ircConnectJune McEnroe2021-06-25
|
* FreeBSD: Enter capabilities mode if restrictedJune McEnroe2021-06-25
|
* Keep log directory open, use mkdirat(2) and openat(2)June McEnroe2021-06-25
|
* Encourage packagers to patch in text macrosJune McEnroe2021-06-24
| | | | Maybe no one will ever do it but I think it's a fun idea.
* Stop at previous \ when expanding macrosJune McEnroe2021-06-24
| | | | | There was no reason to ever require whitespace before the macro name.
* Replace SIGWINCH XXX comment with better explanationJune McEnroe2021-06-21
|
* Register SIGWINCH handler before TLS connectKlemens Nanni2021-06-21
| | | | | | | | | | | Otherwise resizing the terminal will end catgirl until a handler is registered, e.g. while in ircConnect(): catgirl: tls_handshake: (null) Hoist registration right after uiInitEarly() as earliest possible point in main() since initscr(3) sets up various signals incl. SIGWINCH, i.e. initialise `cursesWinch' afterwards to pick up curses(3)'s handler.
* Handle EINTR from connect(2) gracefullyKlemens Nanni2021-06-21
| | | | | Resizing the window early on may return early due to SIGWINCH. Continue asynchronously in that case instead of exiting.
* Use NS and CS server aliasesJune McEnroe2021-06-21
| | | | | | I think I didn't use these originally because they were misconfigured on tilde.chat, but they work now, and supposedly server aliases should be more secure/reliable.
* Open log files with CLOEXECJune McEnroe2021-06-21
|
* Open save file with CLOEXECJune McEnroe2021-06-21
| | | | | Otherwise a lingering process from /copy for example could hold the lock.
* Use "secure" libtls ciphersKlemens Nanni2021-06-20
| | | | | | | | | | | | | | | | | | | | | | | d3e90b6 'Use libtls "compat" ciphers' from 2018 fell back to "compat" ciphers to support irc.mozilla.org which now yields NXDOMAIN. All modern networks (should) support secure ciphers, so drop the hopefully unneeded list of less secure ciphers by avoiding tls_config_set_ciphers(3) and therefore sticking to the "secure" aka. "default" set of ciphers in libtls. A quick check shows that almost all of the big/known IRC networks support TLS1.3 already; those who do not at least comply with SSL_CTX_set_cipher_list(3)'s "HIGH" set as can be tested like this: echo \ irc.hackint.org \ irc.tilde.chat \ irc.libera.chat \ irc.efnet.nl \ irc.oftc.net | xargs -tn1 \ openssl s_client -quiet -cipher HIGH -no_ign_eof -port 6697 -host
* OpenBSD: Only unveil used directoriesKlemens Nanni2021-06-20
| | | | | | dataMkdir() already picked the appropiate directory so make it return that such that unveilData() can go as only that one directory needs unveiling.
* Handle "\1ACTION\1" empty actionsJune McEnroe2021-06-20
|
* Don't match actions in noticesJune McEnroe2021-06-20
|
* Handle TLS_WANNT_POLL{IN,OUT} from tls_handshake(3)June McEnroe2021-06-20
| | | | For blocking sockets it should be retried immediately.
* Add -m mode option to set user modesJune McEnroe2021-06-18
|
* Handle 338 as whois replyJune McEnroe2021-06-17
| | | | Used by Solanum for "actually using host".
* Match window substrings case-sensitivelyJune McEnroe2021-06-17
| | | | | Case-insensitivity was copied from regular complete(), but other commands which take substrings (/open and /copy) match case-sensitively.
* Match windows by substring in /windowJune McEnroe2021-06-17
| | | | | This could just iterate over idNames instead, but using complete means more recently used windows will match first.
* Clean up if restricted && logEnable, pipe creationJune McEnroe2021-06-17
|
* Add mailing list archive to READMEJune McEnroe2021-06-17
|
* chat.tmux.conf: Make window selection hotkeys match window numbersKlemens Nanni2021-06-17
| | | | | | | | | | | | | | | | | | The 'pick chat network' binding on F1 lists tmux windows as follows and tmux's `choose-tree -Z' lets you jump to the window by pressing the key denoted inside parantheses. Set `base-index 1' so as to make window indices match up the hotkey number instead of being off-by-one due to the session itself being the first entry in the list. (0) - chat-5: 8 windows (group chat: chat-0,chat-1,chat-2,chat-3,chat-4,chat-5,chat-6) (attached) (1) ├─> 1: hackint: "example.com" (2) ├─> 2: efnet: "example.com" ... PS: Update existing sessions by updating chat.tmux.conf, pressing F5 then running `prefix-: move-window -r' to renumber all windows.
* Send PINGs when server is quiet and die if no responseJune McEnroe2021-06-15
| | | | | | | | | Every time we receive from the server, reset a timer. The first time the timer triggers, send a PING. The second time the timer triggers, die from ping timeout. I'm not sure about these two intervals: 2 minutes of idle before a PING, 30s for the server to respond to the PING.
* OpenBSD: Simplify promise creation after seprintf() introductionKlemens Nanni2021-06-15
| | | | | | | | Just truncate the initial promises back to the final ones after pledging for the first time, saving code and memory. Assign `ptr' in all initial `seprintf()' calls for consistency while here.
* OpenBSD: pledge final promises earlierKlemens Nanni2021-06-14
| | | | | | | | No need to wait for so long. This also brings all the pledge code on one screen and helps show how ircConnect() is the only relevant part in between initial and final promises.
* Treat `-T's optional argument as optionalKlemens Nanni2021-06-14
| | | | | | | | | `-T[format]' is not possible with getopt(3) but getopt_long(3) supports "T::" exactly for that, so make the command line option go in line with configuration files and documentation. While here, check `has_arg' explicitly as getopt_long(3) only documents mnemonic values not numerical ones.
* Add \com text macroJune McEnroe2021-06-14
|
* /exec without controlling terminalKlemens Nanni2021-06-13
| | | | | | | | | | | Otherwise "/exec sh </dev/tty" takes over and catgirl must effectively be killed to stop the madness; with this diff: catgirl input| /exec sh </dev/tty catgirl output| /bin/sh: cannot open /dev/tty: Device not configured catgirl output| Process exits with status 1 Do the same for `-C/Copy', `-N/notify' and `-O/open' alike.
* Exit on data directory creation errorKlemens Nanni2021-06-13
| | | | | | | | | | | | | | No point in creating (sub)directories when the given root failed already as is the case when e.g. XDG_DATA_HOME/catgirl/ itself is bogus (cleaned stderr intermangled with ncurses setup/catgirl output): $ env -i TERM=xterm XDG_DATA_HOME=/ ./catgirl -h irc.hackint.eu -n nobody -l catgirl: //catgirl/: Permission denied catgirl: //catgirl/log: No such file or directory catgirl: //catgirl/log/hackint: No such file or directory catgirl: //catgirl/log/hackint/NickServ: No such file or directory catgirl: //catgirl/: Permission denied catgirl: //catgirl/log/hackint/NickServ/2021-06-13.log: No such file or directory
* OpenBSD: no need to read data files (logs)Klemens Nanni2021-06-13
| | | | | One of the last changes missed this, but it is a NOOP anyway since "rpath" is not pledged any longer.
* Reset formatting after realname in setnameJune McEnroe2021-06-12
| | | | Missed this one.
* Fix unknown file signature errorJune McEnroe2021-06-11
|
* Exclusively lock save fileJune McEnroe2021-06-11
| | | | | Prevents two instances of catgirl from using the same save file and clobbering each other's data.
* Open save file with "a+"June McEnroe2021-06-11
| | | | | | Avoids another small TOCTOU. Rewind before loading since "a+" sets the file position at the end. Remove unnecessary fseek after truncation, since "a+" always writes at the end of the file.
* OpenBSD: Drop now unneeded file system access for save fileKlemens Nanni2021-06-11
| | | | | | | All opening happens before unveil/pledge and the file handle is kept open read/write so it can be used without any pledge. Simpler/less code and less chances to write other files (accidentially).
* Open save file once in uiLoad() and keep it open until uiSave()Klemens Nanni2021-06-11
| | | | | | | | | | | | | | | | | Opening the same file *path* twice is a TOCTOU, although not a critical one: worst case we load from one file and save to another - the impact depends on how and when catgirl is started the next anyway. More importantly, keeping the file handle open at runtime allows us to drop all filesystem related promises for `-s/save' on OpenBSD. uiLoad() now opens "r+", meaning "Open for reading and writing." up front so uiSave() can write to it. In the case of a nonexistent save file, it now opens with "w" meaning "Open for writing. The file is created if it does not exist.", i.e. the same write/create semantics as "w" except uiLoad() no longer truncates. existing files. uiSave() now truncates the save file to avoid appending in general.
* Rename file to saveFileKlemens Nanni2021-06-11
| | | | | Separate churn from actual change in upcoming diff, no functional change.