"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Stefan Sperling <stsp@stsp.name>
Subject:
Re: fix gotwebd unveil settings
To:
Omar Polo <op@omarpolo.com>
Cc:
gameoftrees@openbsd.org
Date:
Tue, 14 Nov 2023 09:09:54 +0100

Download raw body.

Thread
On Tue, Nov 14, 2023 at 09:08:35AM +0100, Stefan Sperling wrote:
> On Tue, Nov 14, 2023 at 08:50:46AM +0100, Omar Polo wrote:
> > On 2023/11/13 21:42:37 +0100, Stefan Sperling <stsp@stsp.name> wrote:
> > > gotwebd has no reason to write or create new files anywhere in the
> > > web server's chroot dir. The only directory where it needs to create
> > > or write to files is /var/www/tmp.
> >                        ^^^^^^^^
> > 		       wrong, just /tmp/
> 
> Indeed. I forgot that we moved temp file creation outside the
> chroot when gotd came around.
> 
> > > ok?
> > 
> > OK op@ with the unveil(GOT_TMPDIR_STR) removed (and maybe even
> > unveil(GOTWEBD_CONF) since it's already parsed and we don't do
> > reloading)
> 
> Thanks! It does run with /tmp removed. Even better.
> 
> I will keep the config file for now. Hopefully we'll add reload
> functionality some day.

Oops, got confused between the 2 threads and posted the wrong diff.
Here is the new gotwebd.c diff again for reference.

diff /home/stsp/src/got
commit - b1c090542f4ecaf993fc81468338839febcb8e37
path + /home/stsp/src/got
blob - 1355425a306b5f1305bfc75b471bd657c206cbb0
file + gotwebd/gotwebd.c
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
@@ -249,12 +249,9 @@ main(int argc, char **argv)
 		err(1, "gmon.out");
 #endif
 
-	if (unveil(env->httpd_chroot, "rwc") == -1)
+	if (unveil(env->httpd_chroot, "r") == -1)
 		err(1, "unveil");
 
-	if (unveil(GOT_TMPDIR_STR, "rw") == -1)
-		err(1, "unveil");
-
 	if (unveil(GOTWEBD_CONF, "r") == -1)
 		err(1, "unveil");