I don't know if Scribble needs OpenSSL, but a dependency probably does. The only precondition of that error is that openssl/mzssl appears *somewhere* among the dependencies. I run into that same error for evaluators that have nothing to do with Scribble.
~slg ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, January 4, 2021 7:10 PM, 'William J. Bowman' via Racket Users <[email protected]> wrote: > Thanks for the explanation. > > I can't figure out why scribble/manual needs openssl, but oh well. > > After reading through openssl, I've gone with a slightly less blunt > instrument: > > > (require/expose openssl/mzssl (X509_get_default_cert_file)) > > ... > > [sandbox-path-permissions (append `((exists > > ,(X509_get_default_cert_file))) > > (sandbox-path-permissions))] > > ... > > -- > > William J. Bowman > > On Tue, Jan 05, 2021 at 12:07:12AM +0000, Sage Gerard wrote: > > > Heads up: My earlier example was missing a closing paren. Also just saw > > that your subject line asked "Why", so I checked. > > openssl/mzssl provides a parameter called `ssl-default-verify-sources'. See > > 1. The parameter is created during module instantiation with a OS-dependent > > default value. > > When you create a sandboxed evaluator, it is impacted by several > > parameters. The default values of those parameters have little to no trust > > in the code, and will deny ALL filesystem access. Also, all Racket modules > > that are not shared with the evaluator are instantiated again. So you need > > to account for what happens as a side effect of all instantiations needed > > to get the evaluator up and running. If some module somewhere happens to > > require openssl/mzssl (even if you don't need it), then you are impacted by > > the permissions on the evaluator. > > My earlier example was crude precisely because it is a blanket grant of > > existential checks for all filesystem paths. For better security habits, > > you can just add one `exists' permission to`(sandbox-path-permissions)' > > based on the value of `(ssl-default-verify-sources)'. > > ~slg > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Monday, January 4, 2021 6:53 PM, Sage Gerard [email protected] wrote: > > > > > If you just want to silence the error with a blunt instrument, then you > > > could > > > try a parameterization where sandbox-path-permissions is set to: > > > (append (map (λ (p) `(exists ,p)) (filesystem-root-list) > > > (sandbox-path-permissions))) > > > This suffices since it is an existential check, not a file read. > > > ~slg > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > > On Monday, January 4, 2021 6:47 PM, 'William J. Bowman' via Racket Users > > > [email protected] wrote: > > > > > > > I have a sandbox that loads scribble/manual (indirectly) to render some > > > > HTML. > > > > But it crashes with the following error: > > > > > > > > > racket -e "(require racket/sandbox)" -e "((make-evaluator > > > > > 'racket/base) '(require scribble/manual))" > > > > > > > > file-exists?: `exists' access denied for /etc/ssl/cert.pem > > > > errortrace...: > > > > context...: > > > > do-error > > > > security-guard-check-file > > > > ->host > > > > file-exists? > > > > ..../racket/racket/collects/openssl/mzssl.rkt:397:0: x509-root-sources > > > > interpret > > > > [repeats 1 more time] > > > > proc > > > > call-in-empty-metacontinuation-frame > > > > body of "..../racket/racket/collects/openssl/mzssl.rkt" > > > > interpret-expr > > > > body of top-level > > > > run-module-instance! > > > > [repeats 12 more times] > > > > perform-require! > > > > loop > > > > This is strange, since openssl shouldn't actually be needed. > > > > I could just allow access to the file, but the path depends on which > > > > operating system I'm running on making this slightly complicated, and > > > > the access isn't necessary. > > > > Is there some way to trick Racket into not trying to do this, or else > > > > some parameter I can use to provide access to whatever openssl is going > > > > to try to touch without hardcoding the paths? > > > > William J. Bowman > > > > You received this message because you are subscribed to the Google > > > > Groups "Racket Users" group. > > > > To unsubscribe from this group and stop receiving emails from it, send > > > > an email to [email protected]. > > > > To view this discussion on the web visit > > > > https://groups.google.com/d/msgid/racket-users/X/OpEPyvzOyzQql2%40williamjbowman.com. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Racket Users" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/racket-users/qQRDoCYwXeJy2_f_PXvZkjoBUmmKChpSJzN6XCGWFz11VsXOuhzFEArD2-2FuR4Mui8gx3MAX2v5aX_bF21izapOF9peJ7Y3P0eg3Vei3yM%3D%40sagegerard.com. > > -- > > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/X/OuXgfbHhAeNQn8%40williamjbowman.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/df1qbsAjG0UlPL65pBoSA8ghltP0LiU6uLP1TRjUJPHWYhrfIGeaSTVgG0DQgPtg1aUNG5JJ7zXwlQS7-pDWdj3IHdz2aalKN9uTi1_i-jE%3D%40sagegerard.com.
