Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OpenBSD #31

Merged
merged 3 commits into from
Feb 25, 2024
Merged

Support OpenBSD #31

merged 3 commits into from
Feb 25, 2024

Conversation

klemensn
Copy link
Contributor

Build fixes, integration with shairport-sync and security improvements.

Running as unprivileged user could be moved from OpenBSD specific macros to proper configure flags,
then other non-Linux systems can avoid running as root as well.

Requires mikebrady/shairport-sync#1793

@klemensn
Build on OpenBSD
3487ba6 
Recognise the system to configure, build and start.
More work is required to actually work with shairport-sync.
Tested on OpenBSD/amd64 7.4-current.
@klemensn
Hoist PTP socket handling, drop privileges on OpenBSD
4586bb0 
bind(2)ing ports below 1024 is the only privileged operation NQPTP does.

Move its code up in main() before shared memory handling such that root
privileges can be dropped immediately after it;  no currently supported
system does that, thus this should be a NOOP.

Do so on OpenBSD where shm_open(3) does not allow access to shared memory
objects by multiple UIDs, i.e. to communicate, shairport-sync and NQPTP
must create them and run as the very same user.

OpenBSD's official audio/shairport-sync user provides an rc.d(8) daemon
script that runs as `_shairport` user.
@klemensn
Hoist control socket handling, restrict runtime on OpenBSD
6e5f694 
Use pledge(2) to prevent fork/exec, filesystem access and other
unused subsets of system calls, effectively leaving only shared
memory and networking capabilities at runtime.

(Those might be further reduced, but that warrants further analysis
 and most likely more code shuffling.)
@klemensn
Copy link
Contributor Author

klemensn commented Feb 1, 2024

@mikebrady Shall I rebase onto development as is done for shairport-sync?

@mikebrady
Copy link
Owner

Thanks for all this! Let me take a look at it.

@klemensn klemensn mentioned this pull request Feb 12, 2024
Merged
@klemensn
Copy link
Contributor Author

@mikebrady If you want, I can also split out configure/build fixes from the more delicate (and important!) code hoisting and pledge(2) usage.

@klemensn
Copy link
Contributor Author

@mikebrady If you want, I can also split out configure/build fixes from the more delicate (and important!) code hoisting and pledge(2) usage.

Like the shairport-sync PR, this one is ready for review/merge as well.
Let me know if there's anything to sort out.

@mikebrady mikebrady merged commit 5cd5e6e into mikebrady:main Feb 25, 2024
@mikebrady
Copy link
Owner

Many thanks!

@klemensn klemensn deleted the openbsd branch February 26, 2024 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@klemensn @mikebrady