Installing Stephanie
--------------------

There are some slight differences between 2.8 and 2.9, noticably
a few more sysctl's were added for 2.9 and top(1) no longer uses
the kvm interface. Where things differ in installation, they will
be pointed out.

First off, you'll need the following sources:

src/bin/ps
src/usr.bin/systat/ (optional - you proabably want it though)
src/gnu/usr.bin/ld
src/lib/libc/stdio
src/lib/libkvm

People using OpenBSD 2.9 will additionally need:

src/usr.bin/top

2.8 and 2.9 users will need the kernel source (either srcsys.tar.gz or via cvs 
for your given architecture) 

I'm going to assume:

1: you have the above sources in /usr/src
2: you have a previously configured kernel

if you dont have either of these, go and check the faq at www.openbsd.org for
instructions. 

OK, extract the source and apply the kernel patch:

2.8 Users:

# tar -xvzf stephanie-0.1.tar.gz
# cp stephanie-01/stephanie-28-0.1.patch /usr/src
# cd /usr/src
# patch -p0 < stephanie-28-0.1.patch

2.9 Users

# tar -xvzf stephanie-0.1.tar.gz
# cp stephanie/stephanie-29-0.1.patch /usr/src
# cd /usr/src
# patch -p0 < stephanie-29-0.1.patch

Now copy over some files:

# cp stephanie/kern/kern_tpe.c /usr/src/sys/kern
# cp stephanie/kern/kern_tpe_sys.c /usr/src/sys/kern
# cp stephanie/sys/kern_tpe.h /usr/src/sys/sys

Rebuild your syscall table:

# cd /usr/src/sys/kern
# make

Copy over some header files:

# cp /usr/src/sys/sys/syscall.h /usr/include/sys/
# cp /usr/src/sys/sys/syscallargs.h /usr/include/sys/
# cp /usr/src/sys/sys/sysctl.h /usr/include/sys/
# cp /usr/src/sys/sys/kern_tpe.h /usr/include/sys/
# cp /usr/src/sys/sys/proc.h /usr/include/sys

Reconfigure your kernel:

# cd /usr/src/sys/arch/<your arch>/conf
# config YOURKERNEL

Remake the dependencies and rebuild the kernel:

# cd /usr/src/sys/arch/<your arch>/compile/YOURKERNEL
# make depend ; make clean ; make
# cp /bsd /bsd.old ; cp -f bsd /
# reboot

Hope everything worked.

# dmesg | grep list
Trusted patch execution list initialized
tpe: UID 0 added to trust list
#

OK! Now you need to patch ld.so and libkvm

2.8 users:

# cp lib/lib-28.patch /usr/src
# cd /usr/src
# patch -p0 < lib-28.patch

2.9 users:

# cp lib/lib-29.patch /usr/src
# cd /usr/src
# patch -p0 < lib-29.patch

Now, rebuild your ld.so and libkvm

# cd /usr/src/gnu/usr.bin/ld/rtld
# make ; make install
# cd /usr/src/lib/libkvm
# make ; make install

Recompile ps (staticly linked)

# cd /usr/src/bin/ps 
# make ; make install

2.9 Users will need to recompile top

# cd /usr/src/usr.bin/top
# make ; make install

As a non-trusted user (anyone bar root at this stage) 
see if systat crashes. If it does, apply the patch in misc/
recompile and reinstall. 

# cp misc/systat.diff /usr/src
# cd /usr/src
# patch -p0 < systat.diff
# cd /usr/src/usr.bin/systat/
# make ; make install

Now if you want to restrict read's on stdin for untrusted users,
go through and set the immutable flags on any interpreters.

# chflags schg /bin/sh
# chflags schg /bin/csh
# chflags schg /bin/ksh
# chflags schg /bin/rksh
# chflags schg /usr/bin/perl
# chflags schg /usr/bin/awk

And any others you have. 

Finally make the utility program

# cd misc
# make ; make install

OK! Now you can test it out:

First, check the trusted user list:

# tpe_adm -s
trusted users: root
#

As an untrusted user:

$ cat > foo.c << EOF ; gcc foo.c
int main(void){ printf("Hello world\n"); }
EOF
$ ./a.out
./a.out: Permission denied

neat.

Now see what else is now restricted.

Try, 'ps -ax', iostat, systat, vmstat, fstat, netstat, w. Untrusted users
should only be able to see information about processes they own (top will
not work for untrusted users on 2.8. On 2.9 it will display processes owned
by the user). 

Now as root, check the status of ld environment stripping:

# tpe_adm -ls
ld.so environment protection is currently on
# 

Test it out as an unstrusted user (assuming bash):

$ export LD_PRELOAD=test.o
$ file a.out
Your environment contains possibly malicious variables, stripping for the
execution of this program
a.out: OpenBSD/i386 demand paged dynamically linked executable not stripped
$

Turn ld protection off:

# tpe_adm -ld
ld.so environment protection disabled
#

$ file a.out
/usr/libexec/ld.so: preload: test.o: cannot map object
$

Now add a user to the trusted list:

# tpe_adm -a doe
UID 1000 added to trust list
#

Play with the system utilities, they should work now.

Try and run the sample program

$ ./a.out
hello world!
$

Use LD_PRELOAD and LD_LIBRARY_PATH with gay abandon

As root, take away the trust status:

# tpe_adm -d doe
UID 1000 removed from trust list
#

Make a joke playing on 'abandon' and 'gay'.

Anyway, try out the symlink restrictions

$ cd /tmp
$ ln -s /etc/master.passwd hi

# cat /tmp/hi
cat: /tmp/hi: Permission denied
#

That's it! You're done, add any trusted users (anyone in group wheel would be
a good start). They will have to be added after every reboot, the following 
could be added to /etc/rc.local:

if [ -x /usr/local/sbin/tpe_adm ]; then
	/usr/local/sbin/tpe_adm -a doe
fi

NOTE TO QMAIL USERS:
You may find that you will need to explicitly add the qmailq UID to the trust  
list.  Do this in an rc startup script that runs before the qmail daemons
start. 

Send any feedback, bugs, comments, request for features to doe@fuxya.org