If you open a file that requires scribble/manual with the module browser (available via the Racket menu item in DrRacket), you'll see that ssl is needed by the code that opens urls (presumably to do https) which is needed by the code that handles planet requires (since planet requires may involve http requests) which is needed by the code that handles tags (presumably these tags go via require paths, maybe?) in scribble. At least, I think I might be getting that right.
Robby On Mon, Jan 4, 2021 at 6:15 PM Sage Gerard <s...@sagegerard.com> wrote: > I don't know if Scribble needs OpenSSL, but a dependency probably does. > The only precondition of that error is that openssl/mzssl appears > *somewhere* among the dependencies. I run into that same error for > evaluators that have nothing to do with Scribble. > > ~slg > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Monday, January 4, 2021 7:10 PM, 'William J. Bowman' via Racket Users < > racket-users@googlegroups.com> wrote: > > > Thanks for the explanation. > > > > I can't figure out why scribble/manual needs openssl, but oh well. > > > > After reading through openssl, I've gone with a slightly less blunt > instrument: > > > > > (require/expose openssl/mzssl (X509_get_default_cert_file)) > > > ... > > > [sandbox-path-permissions (append `((exists > > > ,(X509_get_default_cert_file))) > > > (sandbox-path-permissions))] > > > ... > > > > -- > > > > William J. Bowman > > > > On Tue, Jan 05, 2021 at 12:07:12AM +0000, Sage Gerard wrote: > > > > > Heads up: My earlier example was missing a closing paren. Also just > saw that your subject line asked "Why", so I checked. > > > openssl/mzssl provides a parameter called > `ssl-default-verify-sources'. See 1. The parameter is created during module > instantiation with a OS-dependent default value. > > > When you create a sandboxed evaluator, it is impacted by several > parameters. The default values of those parameters have little to no trust > in the code, and will deny ALL filesystem access. Also, all Racket modules > that are not shared with the evaluator are instantiated again. So you need > to account for what happens as a side effect of all instantiations needed > to get the evaluator up and running. If some module somewhere happens to > require openssl/mzssl (even if you don't need it), then you are impacted by > the permissions on the evaluator. > > > My earlier example was crude precisely because it is a blanket grant > of existential checks for all filesystem paths. For better security habits, > you can just add one `exists' permission to`(sandbox-path-permissions)' > based on the value of `(ssl-default-verify-sources)'. > > > ~slg > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > > On Monday, January 4, 2021 6:53 PM, Sage Gerard s...@sagegerard.com > wrote: > > > > > > > If you just want to silence the error with a blunt instrument, then > you could > > > > try a parameterization where sandbox-path-permissions is set to: > > > > (append (map (λ (p) `(exists ,p)) (filesystem-root-list) > > > > (sandbox-path-permissions))) > > > > This suffices since it is an existential check, not a file read. > > > > ~slg > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > > > On Monday, January 4, 2021 6:47 PM, 'William J. Bowman' via Racket > Users racket-users@googlegroups.com wrote: > > > > > > > > > I have a sandbox that loads scribble/manual (indirectly) to render > some HTML. > > > > > But it crashes with the following error: > > > > > > > > > > > racket -e "(require racket/sandbox)" -e "((make-evaluator > 'racket/base) '(require scribble/manual))" > > > > > > > > > > file-exists?: `exists' access denied for /etc/ssl/cert.pem > > > > > errortrace...: > > > > > context...: > > > > > do-error > > > > > security-guard-check-file > > > > > ->host > > > > > file-exists? > > > > > ..../racket/racket/collects/openssl/mzssl.rkt:397:0: > x509-root-sources > > > > > interpret > > > > > [repeats 1 more time] > > > > > proc > > > > > call-in-empty-metacontinuation-frame > > > > > body of "..../racket/racket/collects/openssl/mzssl.rkt" > > > > > interpret-expr > > > > > body of top-level > > > > > run-module-instance! > > > > > [repeats 12 more times] > > > > > perform-require! > > > > > loop > > > > > This is strange, since openssl shouldn't actually be needed. > > > > > I could just allow access to the file, but the path depends on > which operating system I'm running on making this slightly complicated, and > the access isn't necessary. > > > > > Is there some way to trick Racket into not trying to do this, or > else some parameter I can use to provide access to whatever openssl is > going to try to touch without hardcoding the paths? > > > > > William J. Bowman > > > > > You received this message because you are subscribed to the Google > Groups "Racket Users" group. > > > > > To unsubscribe from this group and stop receiving emails from it, > send an email to racket-users+unsubscr...@googlegroups.com. > > > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/X/OpEPyvzOyzQql2%40williamjbowman.com > . > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Racket Users" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to racket-users+unsubscr...@googlegroups.com. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/qQRDoCYwXeJy2_f_PXvZkjoBUmmKChpSJzN6XCGWFz11VsXOuhzFEArD2-2FuR4Mui8gx3MAX2v5aX_bF21izapOF9peJ7Y3P0eg3Vei3yM%3D%40sagegerard.com > . > > > > -- > > > > You received this message because you are subscribed to the Google > Groups "Racket Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to racket-users+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/X/OuXgfbHhAeNQn8%40williamjbowman.com > . > > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/df1qbsAjG0UlPL65pBoSA8ghltP0LiU6uLP1TRjUJPHWYhrfIGeaSTVgG0DQgPtg1aUNG5JJ7zXwlQS7-pDWdj3IHdz2aalKN9uTi1_i-jE%3D%40sagegerard.com > . > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/CAL3TdOM%3DXjTH0U-8X7_eHtJaCsdb2XGNF_8M9u97iVvrVkgZ1g%40mail.gmail.com.
