Make use of doas mandatory to avoid running iblock as root.

README.md

@@ -7,13 +7,27 @@ It is meant to be used to block scanner connecting on unused ports.
 
 # How to use
 
+## Add a dedicated user
+
+```
+useradd -s /sbin/nologin _iblock
+```
+
+## Configure doas
+
+Add in `/etc/doas.conf`:
+
+```
+permit nopass _iblock cmd /sbin/pfctl
+```
+
 ## Configure inetd
 
 Start inetd service with this in `/etc/inetd.conf`:
 
 ```
-666 stream tcp nowait root /usr/local/bin/iblock iblock
-666 stream tcp6 nowait root /usr/local/bin/iblock iblock
+666 stream tcp nowait _iblock /usr/local/bin/iblock iblock
+666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock
 ```
 
 You can change the PF table by adding it as a parameter like this:
@@ -51,4 +65,3 @@ In the example I added a label to the block rule, you can use `pfctl -s labels`
 
 - make install doing something
 - A proper man page
-- make it work with doas

main.c

@@ -19,7 +19,7 @@ int main(int argc, char *argv[]){
 	char table[TABLE_LEN] = DEFAULT_TABLE;
 	int status;
 
-	if (unveil("/sbin/pfctl", "rx") != 0)
+	if (unveil("/usr/bin/doas", "rx") != 0)
 		err(1, "unveil");
 	if (pledge("exec inet stdio", NULL) != 0)
 		err(1, "pledge");
@@ -48,7 +48,7 @@ int main(int argc, char *argv[]){
 	switch(sock.ss_family) {
 	case AF_INET: /* FALLTHROUGHT */
 	case AF_INET6:
-		execlp("/sbin/pfctl", "pfctl", "-t", table, "-T", "add", ip, NULL);
+		execlp("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
 		break;
 	default:
 		exit(2);