From: Mike Larkin <mlarkin@nested.page>
Subject: Re: fix gotwebd unveil settings
To: gameoftrees@openbsd.org
Date: Mon, 13 Nov 2023 12:50:24 -0800

On Mon, Nov 13, 2023 at 09:42:37PM +0100, Stefan Sperling wrote:
> gotwebd has no reason to write or create new files anywhere in the
> web server's chroot dir. The only directory where it needs to create
> or write to files is /var/www/tmp.
>
> ok?
>
> diff /home/stsp/src/got
> commit - b1c090542f4ecaf993fc81468338839febcb8e37
> path + /home/stsp/src/got
> blob - 1355425a306b5f1305bfc75b471bd657c206cbb0
> file + gotwebd/gotwebd.c
> --- gotwebd/gotwebd.c
> +++ gotwebd/gotwebd.c
> @@ -249,10 +249,10 @@ main(int argc, char **argv)
>  		err(1, "gmon.out");
>  #endif
>
> -	if (unveil(env->httpd_chroot, "rwc") == -1)
> +	if (unveil(env->httpd_chroot, "r") == -1)
>  		err(1, "unveil");
>
> -	if (unveil(GOT_TMPDIR_STR, "rw") == -1)
> +	if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
>  		err(1, "unveil");
>
>  	if (unveil(GOTWEBD_CONF, "r") == -1)
>

ok mlarkin