On Fri, Sep 27, 2019 at 09:28:39AM +0200, Solene Rapenne wrote: > On Thu, Sep 26, 2019 at 05:40:38PM +0200, Otto Moerbeek wrote: > > On Thu, Sep 26, 2019 at 05:27:08PM +0200, Solene Rapenne wrote: > > > > > Hi, now that we have OpenBSD::pledge I thought it would be nice to use > > > it in devel/cvsweb > > > > > > I've been able to tight it to "rpath proc exec prot_exec", removing > > > wpath and cpath was possible by commenting lines piping STDERROR to > > > /dev/null, that doesn't mean creating dev/null is not required anymore, > > > it's still required for cvsweb to work correctly (due to rlog I think). > > > > > > I updated pkg/README because this requires OpenBSD/Pledge.pm and a so > > > file to be copied into the chroot too. > > > > > > I had some testing on www repository by lot of people and it worked > > > perfectly. > > > > Be careful that error messages do not show up on the web pages > > generated by not redirecting stderr... > > > > -Otto > > at least slowcgi discard stderr output, not sure for others cgi. > if you have a better way (not writing to something) to discard the > stderr output that would be better than making slowcgi ignoring it.
You could pre-open a /dev/null file handle and then dup(2) it instead of opening a new one. I haven't had time to really look at the rest of the patch though. https://perldoc.perl.org/functions/open.html You may also, in the Bourne shell tradition, specify an EXPR beginning with >& , in which case the rest of the string is interpreted as the name of a filehandle (or file descriptor, if numeric) to be duped (as in dup(2)) and opened. #!/usr/bin/perl use strict; use warnings; use OpenBSD::Pledge; use OpenBSD::Unveil; open my $DEVNULL, '>', '/dev/null' or die "Unable to open /dev/null: $!"; pledge( qw( rpath proc exec prot_exec unveil ) ) || die "Can't pledge: $!"; unveil( "/usr/libdata/perl5/", "r" ) || die "Unable to unveil: $!"; unveil( "/bin/sh", "rx" ) || die "Unable to unveil: $!"; unveil() || die "Unable to unveil: $!"; my $pid = open my $child, "-|" // die "Unable to fork: $!"; unless ($pid) { open STDERR, '>&', $DEVNULL or die "Unable to dup DEVNULL: $!"; exec 'sh', '-c', 'echo stderr >&2; echo stdout'; } print "got: $_" for readline $child; -- andrew - http://afresh1.com ($do || !$do) && undef($try) ; # Master of Perl, Yoda is. Hmmmm?
