Ruby previously had an emulated approach for File.realpath, which did
not work correctly when using unveil(2). This backports a patch to
use realpath(3) for File.realpath that I recently committed upstream.
I have tested this works as expected with unveil(2) on -current, and
have been running it on some personal apps for about a week to serve
Ruby web applications using unveil(2) instead of chroot(2) to limit file
system access. unveil(2) is a lot less fragile than chroot(2) for
limiting file system access in Ruby web applications, because many Ruby
libraries have an unfortunate tendency to load Ruby code at runtime from
locations under /usr/local/lib/ruby due to a misfeature called autoload.
Regen patches while here.
I plan to commit this in a couple days unless I hear objections.
Thanks,
Jeremy
Index: 2.4/Makefile
===================================================================
RCS file: /cvs/ports/lang/ruby/2.4/Makefile,v
retrieving revision 1.16
diff -u -p -r1.16 Makefile
--- 2.4/Makefile 3 Apr 2019 17:25:25 -0000 1.16
+++ 2.4/Makefile 26 Jun 2019 19:45:33 -0000
@@ -3,6 +3,7 @@
VERSION = 2.4.6
SHARED_LIBS = ruby24 2.0
NEXTVER = 2.5
+REVISION-main = 0
PSEUDO_FLAVORS= no_ri_docs bootstrap
# Do not build the RI docs on slow arches
Index: 2.4/patches/patch-file_c
===================================================================
RCS file: 2.4/patches/patch-file_c
diff -N 2.4/patches/patch-file_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 2.4/patches/patch-file_c 26 Jun 2019 20:11:48 -0000
@@ -0,0 +1,102 @@
+$OpenBSD$
+
+Backport use of realpath(3) for File.realpath to allow unveil(2) to work.
+
+Index: file.c
+--- file.c.orig
++++ file.c
+@@ -126,6 +126,9 @@ int flock(int, int);
+ #define STAT(p, s) stat((p), (s))
+
No comments:
Post a Comment