summary refs log tree commit diff
path: root/chat.c (follow)
Commit message (Collapse)AuthorAge
* Make -o/printCert not load any files, pledge even earlierKlemens Nanni2021-07-13
| | | | | | | | | | | | | | | | | No point in trying to load a self-signed server certificate which we are about to get from the server in the first place. No need to read client certificate/key files when all we want is the server certificate: in TLS the server always sends its certificate before the client replies with any key material, i.e. catgirl sending client data is useless. catgirl(1) synopsis also notes how these options are irrelevant in the -o/printCert case. As a result, ircConfig() no longer requires any filesystem I/O in this case, so hoist the purely network I/O related pledge() call to enforce this -- more secure, self-documenting code!
* OpenBSD: merge unveil and pledge logic a bitKlemens Nanni2021-07-13
| | | | | | | This reads somewhat clearer as code is grouped by features instead of security mechanisms by simply merging identical tests/conditions. No functional change.
* OpenBSD: unveil logs regardless of restrict modeKlemens Nanni2021-07-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Simplify logic and decouple the two features such that the code gets even more self-ducumenting. Previously `catgirl -R -l' would never unveil and therefore "proc exec" could execute arbitrary paths without "rpath" as is usual unveil/pledge semantic. Now that `catgirl -l' alone triggers unveil(2), previous "proc exec" alone is not enough since the first unveil() hides everything else from filesystem; unveil all of root executable-only in order to restore non-restrict mode's visibility. This leaves yields distinct cases wrt. filesystem visibility (hoisted save file functionality excluded): 1. restrict on, log off: no access 2. restrict on, log on : logdir write/create 3. restrict off, log off: all exec-only 4. restrict off, log on : logdir write/create, all else exec-only In the first case `unveil("/", "")' could be used but with no benefit as the later lack of "rpath wpath cpath", i.e. filesystem access is revoked entirely by pledge alone already. Practically, this does not change functionality but improves correctness and readability.
* OpenBSD: unveil the log directory specificallyJune McEnroe2021-06-28
| | | | | The call to logOpen() will have already created the directory. Still use dataMkdir() as a convenient way to get the created path.
* FreeBSD: Use capsicum_helpers.hJune McEnroe2021-06-28
|
* FreeBSD: Limit rights on stdio and socketJune McEnroe2021-06-25
|
* Move setting CLOEXEC on socket to ircConnectJune McEnroe2021-06-25
|
* FreeBSD: Enter capabilities mode if restrictedJune McEnroe2021-06-25
|
* Keep log directory open, use mkdirat(2) and openat(2)June McEnroe2021-06-25
|
* Replace SIGWINCH XXX comment with better explanationJune McEnroe2021-06-21
|
* Register SIGWINCH handler before TLS connectKlemens Nanni2021-06-21
| | | | | | | | | | | Otherwise resizing the terminal will end catgirl until a handler is registered, e.g. while in ircConnect(): catgirl: tls_handshake: (null) Hoist registration right after uiInitEarly() as earliest possible point in main() since initscr(3) sets up various signals incl. SIGWINCH, i.e. initialise `cursesWinch' afterwards to pick up curses(3)'s handler.
* OpenBSD: Only unveil used directoriesKlemens Nanni2021-06-20
| | | | | | dataMkdir() already picked the appropiate directory so make it return that such that unveilData() can go as only that one directory needs unveiling.
* Add -m mode option to set user modesJune McEnroe2021-06-18
|
* Clean up if restricted && logEnable, pipe creationJune McEnroe2021-06-17
|
* Send PINGs when server is quiet and die if no responseJune McEnroe2021-06-15
| | | | | | | | | Every time we receive from the server, reset a timer. The first time the timer triggers, send a PING. The second time the timer triggers, die from ping timeout. I'm not sure about these two intervals: 2 minutes of idle before a PING, 30s for the server to respond to the PING.
* OpenBSD: Simplify promise creation after seprintf() introductionKlemens Nanni2021-06-15
| | | | | | | | Just truncate the initial promises back to the final ones after pledging for the first time, saving code and memory. Assign `ptr' in all initial `seprintf()' calls for consistency while here.
* OpenBSD: pledge final promises earlierKlemens Nanni2021-06-14
| | | | | | | | No need to wait for so long. This also brings all the pledge code on one screen and helps show how ircConnect() is the only relevant part in between initial and final promises.
* Treat `-T's optional argument as optionalKlemens Nanni2021-06-14
| | | | | | | | | `-T[format]' is not possible with getopt(3) but getopt_long(3) supports "T::" exactly for that, so make the command line option go in line with configuration files and documentation. While here, check `has_arg' explicitly as getopt_long(3) only documents mnemonic values not numerical ones.
* OpenBSD: no need to read data files (logs)Klemens Nanni2021-06-13
| | | | | One of the last changes missed this, but it is a NOOP anyway since "rpath" is not pledged any longer.
* OpenBSD: Drop now unneeded file system access for save fileKlemens Nanni2021-06-11
| | | | | | | All opening happens before unveil/pledge and the file handle is kept open read/write so it can be used without any pledge. Simpler/less code and less chances to write other files (accidentially).
* Open save file once in uiLoad() and keep it open until uiSave()Klemens Nanni2021-06-11
| | | | | | | | | | | | | | | | | Opening the same file *path* twice is a TOCTOU, although not a critical one: worst case we load from one file and save to another - the impact depends on how and when catgirl is started the next anyway. More importantly, keeping the file handle open at runtime allows us to drop all filesystem related promises for `-s/save' on OpenBSD. uiLoad() now opens "r+", meaning "Open for reading and writing." up front so uiSave() can write to it. In the case of a nonexistent save file, it now opens with "w" meaning "Open for writing. The file is created if it does not exist.", i.e. the same write/create semantics as "w" except uiLoad() no longer truncates. existing files. uiSave() now truncates the save file to avoid appending in general.
* OpenBSD: Hoist loading save file to drop filesystem read-accessKlemens Nanni2021-06-11
| | | | | | After TLS cert/key files, the save file is the only file being read from; do so before pleding and drop the "rpath" promise all together: log files will only be created and written to.
* Move unveilAll back into mainJune McEnroe2021-06-10
| | | | It doesn't do as much anymore, so move it back inline.
* OpenBSD: Drop now unneeded promise from initial pledgeKlemens Nanni2021-06-10
| | | | | | | Both ssl(8) as well as ncurses(3) related files are now read completely by the time of ircConfig() and uiInitEarly() respectively, so read access to the filesystem is no longer needed at all unless the "log" or "save" options are used.
* OpenBSD: Remove now obsolete unveil codeKlemens Nanni2021-06-10
| | | | | | | | | | | Previous tls_default_ca_cert_file(3) hoisting makes this possible: all TLS related files are fully loaded into memory by ircConfig() such that ircConnect() will not do any file I/O. Call ircConfig() before pledge(2) in the `-o' "print cert" case so this works out -- that order should have been preserved in the previous a989e15 "OpenBSD: hoist -o/printCert code to simplify" but fixing it now nicely demonstrates the achivement even more so.
* Replace catf with seprintfJune McEnroe2021-06-09
|
* OpenBSD: pledge minimum promises from the startKlemens Nanni2021-06-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | catgirl needs: - "stdio tty" at all times - "rpath inet dns" once at startup for terminfo(5) and ssl(8) - "proc exec" iff -R/restrict options is disabled - "rpath wpath cpath" iff -s/save or -l/log options is enabled Status quo: catgirl starts with the superset of all possible promises "stdio rpath wpath cpath inet dns tty proc exec", drops offline with "stdio rpath wpath cpath tty proc exec" and possibly drops to either of "stdio rpath wpath cpath tty", "stdio tty proc exec" or "stdio tty" depending on the options used. Such step-by-step reduction is straight forward and easy to model along the process runtime, but it comes with the drawback of starting with too broad promises right from the beginning, i.e. `catgirl -R -h host' is able to execute code and write to filesystems even though it must never do so according the (un)used options. Lay out required promises up front and pledge in two stages: 1. initial setup, i.e. fixed "stdio tty" plus temporary "rpath inet dns" plus potential "rpath wpath cpath" plus potential "proc exec" 2. final rutime, i.e. fixed "stdio tty" plus potential "rpath wpath cpath" plus potential "proc exec" This way the above mentioned usage example can never execute or write files, hence less potential for bugs and more accurate modelling of catgirl's runtime -- dropping "inet dns" alone in between also becomes obsolete with this approach.
* OpenBSD: unveil after ncurses(3) init to support TERMINFOKlemens Nanni2021-06-09
| | | | | | | | | | | | initscr(3) in uiInitEarly() attempts more than /usr/share/terminfo/, see `mandoc -O tag=TERMINFO ncurses`. Even though non-default terminfo handling seems rare and it is unlikely to have ever caused a problem for catgirl users on OpenBSD, the current is still wrong by oversimplifying it. Avoid the entire curses/unveil clash by setting up the screen before unveiling.
* OpenBSD: hoist -o/printCert code to simplifyKlemens Nanni2021-06-09
| | | | | | | | | | Nothing but the TLS handshake is required, so skip all other setup. On OpenBSD, unveil() handling needs fixing which will involve code reshuffling -- this is the first related but standalone step. Also pledge this one-off code path individually such with simpler and tighter promises while here.
* Pad kiosk username with zero, not spaceJune McEnroe2021-06-06
| | | | Oops!
* OpenBSD: unveil XDG directories only when neededKlemens Nanni2021-06-06
| | | | | | | | | | | | | | | The (not perfectly obvious) way catgirl crafts directories gets triggered by unveilAll() even if no passed option requires filesystem access: $ env -i TERM=xterm ./catgirl -h irc.hackint.eu -R -n nobody catgirl: HOME unset Here unveil(2) is used due to the "restrict" option, but besides terminfo(5) and certificates catgirl does not need any other files, yet it tries to init the data path -- passing XDG_DATA_HOME=/var/empty makes above invocation work showing how the then successful path setup is not required. Fix this by not unveiling the unneeded data path in the first place.
* Hash the username in kiosk modeJune McEnroe2021-05-27
| | | | So that the first part of $SSH_CLIENT can be passed as username.
* Disable nick and channel colors with hash bound 0June McEnroe2021-03-08
|
* Error if hash bound is less than 2June McEnroe2021-02-25
| | | | Bad things happen otherwise.
* Change default timestamp format to %XJune McEnroe2021-01-27
| | | | This respects the user's locale settings.
* Add toggleable display of timestampsJune McEnroe2021-01-27
|
* Drop filesystem access iff possibleKlemens Nanni2021-01-23
| | | | | | | Log files and state save/restore both require read/write access to the filesystem, both during start and exit. If neither features are used, catgirl may run with "stdio tty".
* Drop exec capability iff restrictedKlemens Nanni2021-01-23
| | | | Nothing must be executed when running /copy, et al.
* Drop network capability after ircConnect()Klemens Nanni2021-01-23
| | | | | | catgirl has no reconnect feature and generally must not do anything but read/write from/to the connected socket which does not require "inet" or "dns" promises.
* Call pledge(2) after unveil(2)Klemens Nanni2021-01-23
| | | | | | Simplify logic, be more idiomatic and finalize by pledging after all unveiling is done by omitting the "unveil" promise and thereby not allowing further calls to it.
* Separate kiosk mode from restrict modeJune McEnroe2021-01-23
| | | | | | | | | | | Restrict mode will focus on sandboxing, while kiosk will continue to restrict IRC access through a public kiosk. Kiosk mode without restrict mode allows execution of man 1 catgirl with /help, assuming external sandboxing. The /list and /part commands are also added to the list of disabled commands in kiosk mode, since they are pointless without access to /join.
* Add -I highlight option and /highlightJune McEnroe2021-01-16
|
* Rename ignore code to filterJune McEnroe2021-01-16
|
* Sandbox with unveil(2) on OpenBSD in restricted modeJune McEnroe2021-01-10
| | | | I wrote all this in vi and it was nice.
* Print chain to stdout with -oJune McEnroe2021-01-10
|
* Exit immediately when using -oJune McEnroe2021-01-10
|
* Add -o and -t options to trust self-signed certificatesJune McEnroe2021-01-09
|
* Allow configuring the upper bound of the hash functionJune McEnroe2021-01-09
| | | | | | | This allows limiting the nick colors used to the 16-color terminal set without modifying the TERM environment variable. Produces different results from just using the default configuration in a 16-color terminal, but what can you do?
* Sandbox with pledge(2) on OpenBSDJune McEnroe2021-01-06
|
* Split /exec lines by \r as well as \nJune McEnroe2020-11-24
| | | | | This fixes local rendering of /exec toilet --irc, which outputs \r\n line endings.