From: Omar Polo Subject: Re: fix gotwebd unveil settings To: Stefan Sperling Cc: gameoftrees@openbsd.org Date: Tue, 14 Nov 2023 11:29:49 +0100 On 2023/11/14 09:09:54 +0100, Stefan Sperling wrote: > On Tue, Nov 14, 2023 at 09:08:35AM +0100, Stefan Sperling wrote: > > On Tue, Nov 14, 2023 at 08:50:46AM +0100, Omar Polo wrote: > > > On 2023/11/13 21:42:37 +0100, Stefan Sperling wrote: > > > > gotwebd has no reason to write or create new files anywhere in the > > > > web server's chroot dir. The only directory where it needs to create > > > > or write to files is /var/www/tmp. > > > ^^^^^^^^ > > > wrong, just /tmp/ > > > > Indeed. I forgot that we moved temp file creation outside the > > chroot when gotd came around. > > > > > > ok? > > > > > > OK op@ with the unveil(GOT_TMPDIR_STR) removed (and maybe even > > > unveil(GOTWEBD_CONF) since it's already parsed and we don't do > > > reloading) > > > > Thanks! It does run with /tmp removed. Even better. > > > > I will keep the config file for now. Hopefully we'll add reload > > functionality some day. > > Oops, got confused between the 2 threads and posted the wrong diff. > Here is the new gotwebd.c diff again for reference. ok op@ > diff /home/stsp/src/got > commit - b1c090542f4ecaf993fc81468338839febcb8e37 > path + /home/stsp/src/got > blob - 1355425a306b5f1305bfc75b471bd657c206cbb0 > file + gotwebd/gotwebd.c > --- gotwebd/gotwebd.c > +++ gotwebd/gotwebd.c > @@ -249,12 +249,9 @@ main(int argc, char **argv) > err(1, "gmon.out"); > #endif > > - if (unveil(env->httpd_chroot, "rwc") == -1) > + if (unveil(env->httpd_chroot, "r") == -1) > err(1, "unveil"); > > - if (unveil(GOT_TMPDIR_STR, "rw") == -1) > - err(1, "unveil"); > - > if (unveil(GOTWEBD_CONF, "r") == -1) > err(1, "unveil"); >