Merge pull request #82 from epsilon-0/master

add security features on OpenBSD
This commit is contained in:
Ian 2022-06-08 21:51:43 -07:00 committed by GitHub
commit ce6cb783d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 0 deletions

20
Cargo.lock generated
View File

@ -594,6 +594,15 @@ version = "0.3.23"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d1a3ea4f0dd7f1f3e512cf97bf100819aa547f36a6eccac8dbaae839eb92363e"
[[package]]
name = "pledge"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "252599417b7d9a43b7fdc63dd790b0848666a8910b2ebe1a25118309c3c981e5"
dependencies = [
"libc",
]
[[package]]
name = "ppv-lite86"
version = "0.2.15"
@ -995,6 +1004,15 @@ version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
[[package]]
name = "unveil"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e7fa867d559102001ec694165ed17d5f82e95213060a65f9c8b6280084bbfec"
dependencies = [
"libc",
]
[[package]]
name = "url"
version = "2.2.2"
@ -1014,11 +1032,13 @@ dependencies = [
"anyhow",
"envy",
"ldap3",
"pledge",
"reqwest",
"serde",
"serde_json",
"thiserror",
"toml",
"unveil",
]
[[package]]

View File

@ -13,3 +13,5 @@ serde_json = "1.0"
thiserror = "1.0"
anyhow = "1.0"
envy = "0.4.1"
pledge = "0.4.2"
unveil = "0.3.2"

View File

@ -1,5 +1,7 @@
extern crate anyhow;
extern crate ldap3;
extern crate pledge;
extern crate unveil;
use std::collections::HashSet;
use std::thread::sleep;
@ -9,6 +11,8 @@ use anyhow::Context as _;
use anyhow::Error as AnyError;
use anyhow::Result;
use ldap3::{DerefAliases, LdapConn, LdapConnSettings, Scope, SearchEntry, SearchOptions};
use pledge::pledge;
use unveil::unveil;
mod config;
mod vw_admin;
@ -21,6 +25,16 @@ fn main() {
config.get_vaultwarden_root_cert_file(),
);
unveil(config::get_config_path(), "r")
.or_else(unveil::Error::ignore_platform)
.expect("Could not unveil config file");
unveil("", "")
.or_else(unveil::Error::ignore_platform)
.expect("Could not disable further unveils");
pledge("dns flock inet rpath stdio tty", "")
.or_else(pledge::Error::ignore_platform)
.expect("Could not pledge permissions");
invite_users(&config, &mut client, config.get_ldap_sync_loop())
}