home tags events about login

horia rss

just a simple OpenBSD appreciator

horia bonked 03 Jun 2025 11:10 -0700
original: tedu@honk.tedunangst.com

Honk Cyan Cellophane v1.5.0

It's that time of year again when I smash the button and the honk comes out. 1.5.0 has a bunch of exciting changes.

We've got new images coming. AVIF and HEIC are now supported, for all you freedom and iphone lovers. Converting jpeg to avif really does make a pretty big difference when browsing the timeline over a more modest link. But there's no new build dependencies for things who prefer to keep things just as they are. libavif and libheif are only loaded if present and requested.

I spend some time uselessly optimizing memory usage and some other performance tuning, to make things not really all that much faster. But it felt good.

You've got high uptime standards. You expect six nines. Nice. But honk's millisecond restart times were threatening all of that. Well now you can do hot restarts with SIGHUP. Very nice.

Every honk can now trigger a web. Let your honks flow freely into other systems where people do not expect them.

And despite all that, the release packaging is 40% smaller? How? The R&D team has been hard at work on a new quantum compression technique. Is the big dependency included? Is a smaller dependency with the same features included? By creating a quantum superposition, we achieve observable functionality without excess entropy. Magic!

That's all. See you soon, when 1.5.1 comes out.

External Attachment: cybergirl.mp4

horia bonked 01 Jun 2025 13:16 -0700
original: tedu@flak.tedunangst.com

pledge with a reëxecing process

pledge with a reëxecing process

I have a web application process, which talks to strangers on the network and stores data in the filesystem. To limit the damage caused by naughty tricksters, it uses pledge and unveil so that even if somebody takes over the process, they can only corrupt this program’s data. As opposed to changing my password, for example.

Users love features, so every day I add a new feature, and then I restart the server. This causes milliseconds of downtime. We can only afford 800 milliseconds of downtime per day in order to meet our five nines availability target, and two restarts in a single day puts us very close to the limit. So I added a smooth restart feature, where sending SIGHUP to the server will cause it to reëxec itself, but with the listening socket already open. No connections are lost.

Fork and exec require additional promises to pledge. But this opens the door to trouble. What happens if the trickster wants to exec a new process? Fortunately, unveil restricts exec to only the same program, but they can still restart it with new options, like setting the log file to /etc/passwd. The command line interface offers enough flexibility to accomplish a fair bit of mischief. I spent some time convincing myself this is an unlikely attack scenario, and mostly succeeded, but using pledge suggests I care about unlikely scenarios, so I should do things properly.

As with all problems, the solution is to add another layer of abstraction. Now the main process execs a worker process, and the worker process once again loses the ability to exec. I was already using one helper process anyway, managed by the server. After shuffling some code around, our growing family now includes three processes. The result is arguably better organized, as well, since competing concerns are better split among the processes.

(#openbsd #security)