Thanks for the explanation. I can't figure out why scribble/manual needs openssl, but oh well.
After reading through openssl, I've gone with a slightly less blunt instrument: > (require/expose openssl/mzssl (X509_get_default_cert_file)) > > ... > [sandbox-path-permissions (append `((exists > ,(X509_get_default_cert_file))) > (sandbox-path-permissions))] > ... -- William J. Bowman On Tue, Jan 05, 2021 at 12:07:12AM +0000, Sage Gerard wrote: > Heads up: My earlier example was missing a closing paren. Also just saw that > your subject line asked "Why", so I checked. > > openssl/mzssl provides a parameter called `ssl-default-verify-sources'. See > [1]. The parameter is created during module instantiation with a OS-dependent > default value. > > When you create a sandboxed evaluator, it is impacted by several parameters. > The default values of those parameters have little to no trust in the code, > and will deny ALL filesystem access. Also, all Racket modules that are not > shared with the evaluator are instantiated again. So you need to account for > what happens as a side effect of all instantiations needed to get the > evaluator up and running. If some module somewhere happens to require > openssl/mzssl (even if you don't need it), then you are impacted by the > permissions on the evaluator. > > My earlier example was crude precisely because it is a blanket grant of > existential checks for all filesystem paths. For better security habits, you > can just add one `exists' permission to `(sandbox-path-permissions)' based on > the value of `(ssl-default-verify-sources)'. > > [1]: > https://docs.racket-lang.org/openssl/index.html?q=ssl-default-verify-sources#%28def._%28%28lib._openssl%2Fmain..rkt%29._ssl-default-verify-sources%29%29 > > > > ~slg > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Monday, January 4, 2021 6:53 PM, Sage Gerard <[email protected]> wrote: > > > If you just want to silence the error with a blunt instrument, then you > > could > > try a parameterization where sandbox-path-permissions is set to: > > > > (append (map (λ (p) `(exists ,p)) (filesystem-root-list) > > (sandbox-path-permissions))) > > > > This suffices since it is an existential check, not a file read. > > > > ~slg > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Monday, January 4, 2021 6:47 PM, 'William J. Bowman' via Racket Users > > [email protected] wrote: > > > > > I have a sandbox that loads scribble/manual (indirectly) to render some > > > HTML. > > > But it crashes with the following error: > > > > > > > racket -e "(require racket/sandbox)" -e "((make-evaluator 'racket/base) > > > > '(require scribble/manual))" > > > > > > file-exists?: `exists' access denied for /etc/ssl/cert.pem > > > errortrace...: > > > context...: > > > do-error > > > security-guard-check-file > > > ->host > > > file-exists? > > > ..../racket/racket/collects/openssl/mzssl.rkt:397:0: x509-root-sources > > > interpret > > > [repeats 1 more time] > > > proc > > > call-in-empty-metacontinuation-frame > > > body of "..../racket/racket/collects/openssl/mzssl.rkt" > > > interpret-expr > > > body of top-level > > > run-module-instance! > > > [repeats 12 more times] > > > perform-require! > > > loop > > > This is strange, since openssl shouldn't actually be needed. > > > I could just allow access to the file, but the path depends on which > > > operating system I'm running on making this slightly complicated, and the > > > access isn't necessary. > > > Is there some way to trick Racket into not trying to do this, or else > > > some parameter I can use to provide access to whatever openssl is going > > > to try to touch without hardcoding the paths? > > > > > > William J. Bowman > > > > > > You received this message because you are subscribed to the Google Groups > > > "Racket Users" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > > email to [email protected]. > > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/racket-users/X/OpEPyvzOyzQql2%40williamjbowman.com. > > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/qQRDoCYwXeJy2_f_PXvZkjoBUmmKChpSJzN6XCGWFz11VsXOuhzFEArD2-2FuR4Mui8gx3MAX2v5aX_bF21izapOF9peJ7Y3P0eg3Vei3yM%3D%40sagegerard.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/X/OuXgfbHhAeNQn8%40williamjbowman.com.
