Site Navigation

Date:      Mon, 27 Jan 2020 09:01:16 +0000 (UTC)
From:      Colin Percival <cperciva@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r524248 - in head: . security security/imds-filterd
Message-ID:  <202001270901.00R91GXv074452@repo.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

Author: cperciva
Date: Mon Jan 27 09:01:16 2020
New Revision: 524248
URL: https://svnweb.freebsd.org/changeset/ports/524248

Log:
  Add imds-filterd.
  
  The imds-filterd tool allows administrators of EC2 instances to lock down
  which data from the Instance Metadata Service can be accessed by specified
  system users and groups, thereby making the EC2 Instance Metadata Service
  compatible with traditional UNIX privilege separation.
  
  Reviewed by:	otis, dizzy, lwhsu
  Sponsored by:	Tarsnap Backup Inc.

Added:
  head/security/imds-filterd/
  head/security/imds-filterd/Makefile   (contents, props changed)
  head/security/imds-filterd/distinfo   (contents, props changed)
  head/security/imds-filterd/pkg-descr   (contents, props changed)
  head/security/imds-filterd/pkg-message   (contents, props changed)
Modified:
  head/GIDs
  head/UIDs
  head/security/Makefile

Modified: head/GIDs
==============================================================================
--- head/GIDs	Mon Jan 27 08:19:09 2020	(r524247)
+++ head/GIDs	Mon Jan 27 09:01:16 2020	(r524248)
@@ -194,7 +194,7 @@ sems:*:250:
 # free: 251
 # free: 252
 _adsuck:*:253:
-# free: 254
+imds:*:254:
 _i2pd:*:255:
 _tor:*:256:
 _smtpd:*:257:

Modified: head/UIDs
==============================================================================
--- head/UIDs	Mon Jan 27 08:19:09 2020	(r524247)
+++ head/UIDs	Mon Jan 27 09:01:16 2020	(r524248)
@@ -199,7 +199,7 @@ sems:*:250:250::0:0:SIP Express Media Server:/nonexist
 # free: 251
 # free: 252
 _adsuck:*:253:253::0:0:Adsuck ad blocking user:/nonexistent:/usr/sbin/nologin
-# free: 254
+imds:*:254:254::0:0:Instance Metadata Service filter:/nonexistent:/usr/sbin/nologin
 _i2pd:*:255:255::0:0:I2P daemon:/var/db/i2pd:/usr/sbin/nologin
 _tor:*:256:256::0:0:Tor anonymizing router:/var/db/tor:/usr/sbin/nologin
 _smtpd:*:257:257::0:0:OpenSMTPD:/var/empty:/usr/sbin/nologin

Modified: head/security/Makefile
==============================================================================
--- head/security/Makefile	Mon Jan 27 08:19:09 2020	(r524247)
+++ head/security/Makefile	Mon Jan 27 09:01:16 2020	(r524248)
@@ -226,6 +226,7 @@
     SUBDIR += idea
     SUBDIR += identify
     SUBDIR += ike
+    SUBDIR += imds-filter
     SUBDIR += integrit
     SUBDIR += ipfcount
     SUBDIR += ipfilter2dshield

Added: head/security/imds-filterd/Makefile
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/imds-filterd/Makefile	Mon Jan 27 09:01:16 2020	(r524248)
@@ -0,0 +1,44 @@
+# $FreeBSD$
+
+PORTNAME=	imds-filterd
+DISTVERSION=	0.1
+CATEGORIES=	security
+
+MAINTAINER=	cperciva@FreeBSD.org
+COMMENT=	Provides per user/group access controls to the EC2 IMDS
+
+LICENSE=	BSD2CLAUSE
+LICENSE_FILE=	${WRKSRC}/COPYRIGHT
+
+USE_GITHUB=	YES
+GH_ACCOUNT=	cperciva
+
+# Install binaries into ${STAGEDIR}${PREFIX}/sbin
+MAKE_ARGS+=	BINDIR=${STAGEDIR}${PREFIX}/sbin
+
+PORTDOCS=	README.md USAGE
+PLIST_FILES=	etc/rc.d/imds-filterd		\
+		etc/rc.d/imds-proxy		\
+		sbin/imds-filterd		\
+		sbin/imds-proxy			\
+		"@sample etc/newsyslog.conf.d/imds.conf.sample"	\
+		"@sample etc/syslog.d/imds.conf.sample"		\
+		"@sample etc/imds.conf.sample"
+
+OPTIONS_DEFINE=	DOCS
+
+USERS=		imds
+GROUPS=		imds
+
+post-install:
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR}
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/syslog.d
+	${INSTALL_DATA} ${WRKSRC}/freebsd-conf/syslog-imds.conf ${STAGEDIR}${PREFIX}/etc/syslog.d/imds.conf.sample
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d
+	${INSTALL_DATA} ${WRKSRC}/freebsd-conf/newsyslog-imds.conf ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/imds.conf.sample
+	${INSTALL_DATA} ${WRKSRC}/imds.conf ${STAGEDIR}${PREFIX}/etc/imds.conf.sample
+	${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-filterd ${STAGEDIR}${PREFIX}/etc/rc.d/imds-filterd
+	${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-proxy ${STAGEDIR}${PREFIX}/etc/rc.d/imds-proxy
+
+.include <bsd.port.mk>

Added: head/security/imds-filterd/distinfo
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/imds-filterd/distinfo	Mon Jan 27 09:01:16 2020	(r524248)
@@ -0,0 +1,3 @@
+TIMESTAMP = 1580074291
+SHA256 (cperciva-imds-filterd-0.1_GH0.tar.gz) = e0e8b28046b2a917e110d1313242947aa6901635e81552107ab2f6a2fba83441
+SIZE (cperciva-imds-filterd-0.1_GH0.tar.gz) = 64011

Added: head/security/imds-filterd/pkg-descr
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/imds-filterd/pkg-descr	Mon Jan 27 09:01:16 2020	(r524248)
@@ -0,0 +1,12 @@
+imds-filterd (pronounced "I M D S Filter D") is a pair of utilities which
+work together to intercept and filter requests to the EC2 Instance Metadata
+Service -- or theoretically any other service at 169.254.169.254:80.
+
+It validates requests against a configured ruleset which specifies whether
+given users and groups should be allowed or denied access to certain prefixes
+in the Instance Metadata Service.  For example, "root" could be granted
+access to everything; most unprivileged users granted access to everything
+except IAM role credentials; but the www user denied access to the entire
+Instance Metadata Service in order to guard against SSRF and similar attacks.
+
+WWW: http://github.com/cperciva/imds-filterd

Added: head/security/imds-filterd/pkg-message
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/imds-filterd/pkg-message	Mon Jan 27 09:01:16 2020	(r524248)
@@ -0,0 +1,14 @@
+[
+{ type: install
+  message: <<EOM
+To enable imds-filterd, add imds_filterd_enable=YES to /etc/rc.conf.
+
+To configure imds-filterd, edit $PREFIX/etc/imds.conf.
+
+imds-filterd ships with configurations for syslogd and newsyslog which log
+accesses to the Instance Metadata Service to /var/log/imds.log and rotate
+this file upon reaching 1 MB; these settings can be modified via
+$PREFIX/etc/{syslog.d, newsyslog.conf.d}/imds.conf.
+EOM
+}
+]

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202001270901.00R91GXv074452>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact