From: Stefan Sperling <stsp@stsp.name>
Subject: fix gotwebd unveil settings
To: gameoftrees@openbsd.org
Date: Mon, 13 Nov 2023 21:42:37 +0100

gotwebd has no reason to write or create new files anywhere in the
web server's chroot dir. The only directory where it needs to create
or write to files is /var/www/tmp.

ok?

diff /home/stsp/src/got
commit - b1c090542f4ecaf993fc81468338839febcb8e37
path + /home/stsp/src/got
blob - 1355425a306b5f1305bfc75b471bd657c206cbb0
file + gotwebd/gotwebd.c
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
@@ -249,10 +249,10 @@ main(int argc, char **argv)
 		err(1, "gmon.out");
 #endif
 
-	if (unveil(env->httpd_chroot, "rwc") == -1)
+	if (unveil(env->httpd_chroot, "r") == -1)
 		err(1, "unveil");
 
-	if (unveil(GOT_TMPDIR_STR, "rw") == -1)
+	if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
 		err(1, "unveil");
 
 	if (unveil(GOTWEBD_CONF, "r") == -1)