Download raw body.
fix gotwebd unveil settings
On Tue, Nov 14, 2023 at 08:50:46AM +0100, Omar Polo wrote: > On 2023/11/13 21:42:37 +0100, Stefan Sperling <stsp@stsp.name> wrote: > > gotwebd has no reason to write or create new files anywhere in the > > web server's chroot dir. The only directory where it needs to create > > or write to files is /var/www/tmp. > ^^^^^^^^ > wrong, just /tmp/ Indeed. I forgot that we moved temp file creation outside the chroot when gotd came around. > > ok? > > OK op@ with the unveil(GOT_TMPDIR_STR) removed (and maybe even > unveil(GOTWEBD_CONF) since it's already parsed and we don't do > reloading) Thanks! It does run with /tmp removed. Even better. I will keep the config file for now. Hopefully we'll add reload functionality some day. diff /home/stsp/src/got commit - b1c090542f4ecaf993fc81468338839febcb8e37 path + /home/stsp/src/got blob - 341d3774c799acfb106876120fa0e5ae0b9131c0 file + gotwebd/sockets.c --- gotwebd/sockets.c +++ gotwebd/sockets.c @@ -53,6 +53,7 @@ #include "got_opentemp.h" #include "got_reference.h" #include "got_repository.h" +#include "got_privsep.h" #include "proc.h" #include "gotwebd.h" @@ -112,8 +113,8 @@ sockets_run(struct privsep *ps, struct privsep_proc *p signal_add(&ps->ps_evsigchld, NULL); #ifndef PROFILE - if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd", - NULL) == -1) + if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd " + "unveil", NULL) == -1) fatal("pledge"); #endif } @@ -246,6 +247,8 @@ static void sockets_launch(void) { struct socket *sock; + struct server *srv; + const struct got_error *error; TAILQ_FOREACH(sock, &gotwebd_env->sockets, entry) { log_debug("%s: configuring socket %d (%d)", __func__, @@ -262,6 +265,18 @@ sockets_launch(void) log_debug("%s: running socket listener %d", __func__, sock->conf.id); } + + TAILQ_FOREACH(srv, &gotwebd_env->servers, entry) { + if (unveil(srv->repos_path, "r") == -1) + fatal("unveil %s", srv->repos_path); + } + + error = got_privsep_unveil_exec_helpers(); + if (error) + fatal("%s", error->msg); + + if (unveil(NULL, NULL) != 0) + fatal("unveil"); } static void
fix gotwebd unveil settings