2 comments

[ 2.9 ms ] story [ 18.7 ms ] thread
What does pledge() do here? Apache usually drops to nobody, daemon, or www (eg as a user without privilege on the host at all) after opening a socket. Does OpenBSD's httpd run as root so it can invoke a low-privilege EUID request process? Because running as nobody doesn't include becoming a different user, unless calling a setuid binary, which is kindof possible, if awkward, with Apache (eg. because you'll want that only after auth, hence with a setuid program matching the authenticated client).
pledge[1] allows a process to promise the kernel that it will restrict itself to a given subset of system calls. So you call pledge() with the set of syscalls you need, and then if your application does something else then it will be killed.

The OpenBSD httpd is privilege separated and chroot()ed, and each component only pledge()s the syscalls it needs. This reduces to just the syscalls needed to do filesystem operations inside the chroot, log, and talk on the internet. In the CGI context, if your application only needs to read / write to stdio to talk to httpd, then you can limit yourself to just stdio, or if it only needs to read files then it can limit itself to just those syscalls. If your application does something outside of your pledge() (eg. exec(), because it got pwned) then the kernel will kill it.

1. https://man.openbsd.org/pledge