I don't know if Scribble needs OpenSSL, but a dependency probably does. The only precondition of that error is that openssl/mzssl appears *somewhere* among the dependencies. I run into that same error for evaluators that have nothing to do with Scribble.
~slg ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, January 4, 2021 7:10 PM, 'William J. Bowman' via Racket Users <racket-users@googlegroups.com> wrote: > Thanks for the explanation. > > I can't figure out why scribble/manual needs openssl, but oh well. > > After reading through openssl, I've gone with a slightly less blunt > instrument: > > > (require/expose openssl/mzssl (X509_get_default_cert_file)) > > ... > > [sandbox-path-permissions (append `((exists > > ,(X509_get_default_cert_file))) > > (sandbox-path-permissions))] > > ... > > -- > > William J. Bowman > > On Tue, Jan 05, 2021 at 12:07:12AM +0000, Sage Gerard wrote: > > > Heads up: My earlier example was missing a closing paren. Also just saw > > that your subject line asked "Why", so I checked. > > openssl/mzssl provides a parameter called `ssl-default-verify-sources'. See > > 1. The parameter is created during module instantiation with a OS-dependent > > default value. > > When you create a sandboxed evaluator, it is impacted by several > > parameters. The default values of those parameters have little to no trust > > in the code, and will deny ALL filesystem access. Also, all Racket modules > > that are not shared with the evaluator are instantiated again. So you need > > to account for what happens as a side effect of all instantiations needed > > to get the evaluator up and running. If some module somewhere happens to > > require openssl/mzssl (even if you don't need it), then you are impacted by > > the permissions on the evaluator. > > My earlier example was crude precisely because it is a blanket grant of > > existential checks for all filesystem paths. For better security habits, > > you can just add one `exists' permission to`(sandbox-path-permissions)' > > based on the value of `(ssl-default-verify-sources)'. > > ~slg > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Monday, January 4, 2021 6:53 PM, Sage Gerard s...@sagegerard.com wrote: > > > > > If you just want to silence the error with a blunt instrument, then you > > > could > > > try a parameterization where sandbox-path-permissions is set to: > > > (append (map (λ (p) `(exists ,p)) (filesystem-root-list) > > > (sandbox-path-permissions))) > > > This suffices since it is an existential check, not a file read. > > > ~slg > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > > On Monday, January 4, 2021 6:47 PM, 'William J. Bowman' via Racket Users > > > racket-users@googlegroups.com wrote: > > > > > > > I have a sandbox that loads scribble/manual (indirectly) to render some > > > > HTML. > > > > But it crashes with the following error: > > > > > > > > > racket -e "(require racket/sandbox)" -e "((make-evaluator > > > > > 'racket/base) '(require scribble/manual))" > > > > > > > > file-exists?: `exists' access denied for /etc/ssl/cert.pem > > > > errortrace...: > > > > context...: > > > > do-error > > > > security-guard-check-file > > > > ->host > > > > file-exists? > > > > ..../racket/racket/collects/openssl/mzssl.rkt:397:0: x509-root-sources > > > > interpret > > > > [repeats 1 more time] > > > > proc > > > > call-in-empty-metacontinuation-frame > > > > body of "..../racket/racket/collects/openssl/mzssl.rkt" > > > > interpret-expr > > > > body of top-level > > > > run-module-instance! > > > > [repeats 12 more times] > > > > perform-require! > > > > loop > > > > This is strange, since openssl shouldn't actually be needed. > > > > I could just allow access to the file, but the path depends on which > > > > operating system I'm running on making this slightly complicated, and > > > > the access isn't necessary. > > > > Is there some way to trick Racket into not trying to do this, or else > > > > some parameter I can use to provide access to whatever openssl is going > > > > to try to touch without hardcoding the paths? > > > > William J. Bowman > > > > You received this message because you are subscribed to the Google > > > > Groups "Racket Users" group. > > > > To unsubscribe from this group and stop receiving emails from it, send > > > > an email to racket-users+unsubscr...@googlegroups.com. > > > > To view this discussion on the web visit > > > > https://groups.google.com/d/msgid/racket-users/X/OpEPyvzOyzQql2%40williamjbowman.com. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Racket Users" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to racket-users+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/racket-users/qQRDoCYwXeJy2_f_PXvZkjoBUmmKChpSJzN6XCGWFz11VsXOuhzFEArD2-2FuR4Mui8gx3MAX2v5aX_bF21izapOF9peJ7Y3P0eg3Vei3yM%3D%40sagegerard.com. > > -- > > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/X/OuXgfbHhAeNQn8%40williamjbowman.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/df1qbsAjG0UlPL65pBoSA8ghltP0LiU6uLP1TRjUJPHWYhrfIGeaSTVgG0DQgPtg1aUNG5JJ7zXwlQS7-pDWdj3IHdz2aalKN9uTi1_i-jE%3D%40sagegerard.com.
