On Thu, Sep 26, 2019 at 05:40:38PM +0200, Otto Moerbeek wrote:
> On Thu, Sep 26, 2019 at 05:27:08PM +0200, Solene Rapenne wrote:
>
> > Hi, now that we have OpenBSD::pledge I thought it would be nice to use
> > it in devel/cvsweb
> >
> > I've been able to tight it to "rpath proc exec prot_exec", removing
> > wpath and cpath was possible by commenting lines piping STDERROR to
> > /dev/null, that doesn't mean creating dev/null is not required anymore,
> > it's still required for cvsweb to work correctly (due to rlog I think).
> >
> > I updated pkg/README because this requires OpenBSD/Pledge.pm and a so
> > file to be copied into the chroot too.
> >
> > I had some testing on www repository by lot of people and it worked
> > perfectly.
>
> Be careful that error messages do not show up on the web pages
> generated by not redirecting stderr...
>
> -Otto
at least slowcgi discard stderr output, not sure for others cgi.
if you have a better way (not writing to something) to discard the
stderr output that would be better than making slowcgi ignoring it.
latest patch adding unveil
Index: Makefile
===================================================================
RCS file: /data/cvs/ports/devel/cvsweb/Makefile,v
retrieving revision 1.62
diff -u -p -r1.62 Makefile
--- Makefile 12 Jul 2019 20:44:07 -0000 1.62
+++ Makefile 27 Sep 2019 07:19:23 -0000
@@ -3,7 +3,7 @@
COMMENT= CGI script to browse CVS repository trees
DISTNAME= cvsweb-2.0.6
-REVISION= 27
+REVISION= 28
CATEGORIES= devel www
HOMEPAGE= http://www.freebsd.org/projects/cvsweb.html
Index: patches/patch-cvsweb_cgi
===================================================================
RCS file: /data/cvs/ports/devel/cvsweb/patches/patch-cvsweb_cgi,v
retrieving revision 1.13
diff -u -p -r1.13 patch-cvsweb_cgi
--- patches/patch-cvsweb_cgi 7 Apr 2013 20:07:24 -0000 1.13
+++ patches/patch-cvsweb_cgi 27 Sep 2019 07:20:20 -0000
@@ -1,6 +1,7 @@
$OpenBSD: patch-cvsweb_cgi,v 1.13 2013/04/07 20:07:24 naddy Exp $
---- cvsweb.cgi.orig Thu Sep 26 22:56:05 2002
-+++ cvsweb.cgi Sun Apr 7 14:15:55 2013
+Index: cvsweb.cgi
+--- cvsweb.cgi.orig
++++ cvsweb.cgi
@@ -1,4 +1,4 @@
-#!/usr/bin/perl -wT
+#!/usr/bin/perl -w
@@ -37,7 +38,43 @@ $OpenBSD: patch-cvsweb_cgi,v 1.13 2013/0
);
@LOGSORTKEYS = qw(cvs date rev);
-@@ -2014,20 +2009,6 @@ sub doDiff($$$$$$) {
+@@ -249,7 +244,26 @@ EOM
+
+ use Time::Local ();
+ use IPC::Open2 qw(open2);
++use OpenBSD::Pledge;
++use OpenBSD::Unveil;
+
++pledge( qw( rpath proc exec prot_exec unveil ) ) || die "Can't pledge: $!";
++
++# directories
++unveil( "/usr/libdata/perl5/", "r" ) || die "Unable to unveil: $!";
++unveil( "/cvs/", "r" ) || die "Unable to unveil: $!";
++unveil( "/conf/", "r" ) || die "Unable to unveil: $!";
++
++# files
++unveil( "/dev/null", "r" ) || die "Unable to unveil: $!";
++unveil( "/usr/bin/rcsdiff", "rx" ) || die "Unable to unveil: $!";
++unveil( "/usr/bin/rlog", "rx" ) || die "Unable to unveil: $!";
++unveil( "/usr/bin/cvs", "rx" ) || die "Unable to unveil: $!";
++unveil( "/usr/bin/uname", "rx" ) || die "Unable to unveil: $!";
++
++unveil() || die "Unvable to unveil: $!";
++
++
+ # Check if the zlib C library interface is installed, and if yes
+ # we can avoid using the extra gzip process.
+ eval { require Compress::Zlib; };
+@@ -1578,7 +1592,7 @@ sub openOutputFilter() {
+ open(STDOUT, "|-") and return;
+
+ # child of child
+- open(STDERR, '>/dev/null');
++ #open(STDERR, '>/dev/null');
+ exec($output_filter) or exit -1;
+ }
+
+@@ -2014,20 +2028,6 @@ sub doDiff($$$$$$) {
my @difftype = @{$difftype->{'opts'}};
my $human_readable = $difftype->{'colored'};
@@ -58,7 +95,24 @@ $OpenBSD: patch-cvsweb_cgi,v 1.13 2013/0
if ($human_readable) {
if ($hr_ignwhite) {
push @difftype, '-w';
-@@ -2658,7 +2639,7 @@ sub printLog($;$) {
+@@ -2128,14 +2128,14 @@ sub getDirLogs($$@) {
+
+ #can't use -r<tag> as - is allowed in tagnames, but misinterpreated by rlog..
+ if (!open($fh, "-|")) { # child
+- open(STDERR, '>/dev/null'); # rlog may complain; ignore.
++ #open(STDERR, '>/dev/null'); # rlog may complain; ignore.
+ openOutputFilter();
+ exec($CMD{rlog}, @files) or exit -1;
+ }
+ } else {
+
+ if (!open($fh, "-|")) { # child
+- open(STDERR, '>/dev/null'); # rlog may complain; ignore.
++ #open(STDERR, '>/dev/null'); # rlog may complain; ignore.
+ openOutputFilter();
+ exec($CMD{rlog}, '-r', @files) or exit -1;
+ }
+@@ -2658,7 +2658,7 @@ sub printLog($;$) {
if (/^1\.1\.1\.\d+$/) {
print " <i>(vendor branch)</i>";
}
Index: pkg/README
===================================================================
RCS file: /data/cvs/ports/devel/cvsweb/pkg/README,v
retrieving revision 1.18
diff -u -p -r1.18 README
--- pkg/README 2 May 2019 18:58:38 -0000 1.18
+++ pkg/README 27 Sep 2019 06:51:39 -0000
@@ -22,7 +22,7 @@ cd /var/www/usr
mkdir -p bin lib libdata/perl5 libexec
cd /var/www/usr/libdata/perl5
-mkdir -p File IPC Time warnings `arch -s`-openbsd/auto/{Cwd,Fcntl} unicore
+mkdir -p File IPC Time warnings `arch -s`-openbsd/auto/{Cwd,Fcntl,OpenBSD/Pledge,OpenBSD/Unveil} `arch -s`-openbsd/OpenBSD unicore
# The "annotate" function requires this empty file:
#
@@ -72,6 +72,10 @@ cp -p /usr/libdata/perl5/`arch -s`-openb
cp -p /usr/libdata/perl5/`arch -s`-openbsd/DynaLoader.pm .
cp -p /usr/libdata/perl5/`arch -s`-openbsd/Fcntl.pm .
cp -p /usr/libdata/perl5/`arch -s`-openbsd/auto/Fcntl/Fcntl.so ./auto/Fcntl/
+cp -p /usr/libdata/perl5/`arch -s`-openbsd/OpenBSD/Pledge.pm ./OpenBSD/
+cp -p /usr/libdata/perl5/`arch -s`-openbsd/OpenBSD/Unveil.pm ./OpenBSD/
+cp -p /usr/libdata/perl5/`arch -s`-openbsd/auto/OpenBSD/Pledge/Pledge.so ./auto/OpenBSD/Pledge/
+cp -p /usr/libdata/perl5/`arch -s`-openbsd/auto/OpenBSD/Unveil/Unveil.so ./auto/OpenBSD/Unveil/
# You also need to enable slowcgi(8):
No comments:
Post a Comment