Ah! I didn’t know about the module browser, thanks! And I guess this chain makes sense.
-- Sent from my phoneamajig > On Jan 4, 2021, at 16:27, Robby Findler <[email protected]> wrote: > > > If you open a file that requires scribble/manual with the module browser > (available via the Racket menu item in DrRacket), you'll see that ssl is > needed by the code that opens urls (presumably to do https) which is needed > by the code that handles planet requires (since planet requires may involve > http requests) which is needed by the code that handles tags (presumably > these tags go via require paths, maybe?) in scribble. At least, I think I > might be getting that right. > > Robby > > >> On Mon, Jan 4, 2021 at 6:15 PM Sage Gerard <[email protected]> wrote: >> I don't know if Scribble needs OpenSSL, but a dependency probably does. The >> only precondition of that error is that openssl/mzssl appears *somewhere* >> among the dependencies. I run into that same error for evaluators that have >> nothing to do with Scribble. >> >> ~slg >> >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Monday, January 4, 2021 7:10 PM, 'William J. Bowman' via Racket Users >> <[email protected]> wrote: >> >> > Thanks for the explanation. >> > >> > I can't figure out why scribble/manual needs openssl, but oh well. >> > >> > After reading through openssl, I've gone with a slightly less blunt >> > instrument: >> > >> > > (require/expose openssl/mzssl (X509_get_default_cert_file)) >> > > ... >> > > [sandbox-path-permissions (append `((exists >> > > ,(X509_get_default_cert_file))) >> > > (sandbox-path-permissions))] >> > > ... >> > >> > -- >> > >> > William J. Bowman >> > >> > On Tue, Jan 05, 2021 at 12:07:12AM +0000, Sage Gerard wrote: >> > >> > > Heads up: My earlier example was missing a closing paren. Also just saw >> > > that your subject line asked "Why", so I checked. >> > > openssl/mzssl provides a parameter called `ssl-default-verify-sources'. >> > > See 1. The parameter is created during module instantiation with a >> > > OS-dependent default value. >> > > When you create a sandboxed evaluator, it is impacted by several >> > > parameters. The default values of those parameters have little to no >> > > trust in the code, and will deny ALL filesystem access. Also, all Racket >> > > modules that are not shared with the evaluator are instantiated again. >> > > So you need to account for what happens as a side effect of all >> > > instantiations needed to get the evaluator up and running. If some >> > > module somewhere happens to require openssl/mzssl (even if you don't >> > > need it), then you are impacted by the permissions on the evaluator. >> > > My earlier example was crude precisely because it is a blanket grant of >> > > existential checks for all filesystem paths. For better security habits, >> > > you can just add one `exists' permission to`(sandbox-path-permissions)' >> > > based on the value of `(ssl-default-verify-sources)'. >> > > ~slg >> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> > > On Monday, January 4, 2021 6:53 PM, Sage Gerard [email protected] >> > > wrote: >> > > >> > > > If you just want to silence the error with a blunt instrument, then >> > > > you could >> > > > try a parameterization where sandbox-path-permissions is set to: >> > > > (append (map (λ (p) `(exists ,p)) (filesystem-root-list) >> > > > (sandbox-path-permissions))) >> > > > This suffices since it is an existential check, not a file read. >> > > > ~slg >> > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> > > > On Monday, January 4, 2021 6:47 PM, 'William J. Bowman' via Racket >> > > > Users [email protected] wrote: >> > > > >> > > > > I have a sandbox that loads scribble/manual (indirectly) to render >> > > > > some HTML. >> > > > > But it crashes with the following error: >> > > > > >> > > > > > racket -e "(require racket/sandbox)" -e "((make-evaluator >> > > > > > 'racket/base) '(require scribble/manual))" >> > > > > >> > > > > file-exists?: `exists' access denied for /etc/ssl/cert.pem >> > > > > errortrace...: >> > > > > context...: >> > > > > do-error >> > > > > security-guard-check-file >> > > > > ->host >> > > > > file-exists? >> > > > > ..../racket/racket/collects/openssl/mzssl.rkt:397:0: >> > > > > x509-root-sources >> > > > > interpret >> > > > > [repeats 1 more time] >> > > > > proc >> > > > > call-in-empty-metacontinuation-frame >> > > > > body of "..../racket/racket/collects/openssl/mzssl.rkt" >> > > > > interpret-expr >> > > > > body of top-level >> > > > > run-module-instance! >> > > > > [repeats 12 more times] >> > > > > perform-require! >> > > > > loop >> > > > > This is strange, since openssl shouldn't actually be needed. >> > > > > I could just allow access to the file, but the path depends on which >> > > > > operating system I'm running on making this slightly complicated, >> > > > > and the access isn't necessary. >> > > > > Is there some way to trick Racket into not trying to do this, or >> > > > > else some parameter I can use to provide access to whatever openssl >> > > > > is going to try to touch without hardcoding the paths? >> > > > > William J. Bowman >> > > > > You received this message because you are subscribed to the Google >> > > > > Groups "Racket Users" group. >> > > > > To unsubscribe from this group and stop receiving emails from it, >> > > > > send an email to [email protected]. >> > > > > To view this discussion on the web visit >> > > > > https://groups.google.com/d/msgid/racket-users/X/OpEPyvzOyzQql2%40williamjbowman.com. >> > > >> > > -- >> > > You received this message because you are subscribed to the Google >> > > Groups "Racket Users" group. >> > > To unsubscribe from this group and stop receiving emails from it, send >> > > an email to [email protected]. >> > > To view this discussion on the web visit >> > > https://groups.google.com/d/msgid/racket-users/qQRDoCYwXeJy2_f_PXvZkjoBUmmKChpSJzN6XCGWFz11VsXOuhzFEArD2-2FuR4Mui8gx3MAX2v5aX_bF21izapOF9peJ7Y3P0eg3Vei3yM%3D%40sagegerard.com. >> > >> > -- >> > >> > You received this message because you are subscribed to the Google Groups >> > "Racket Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/racket-users/X/OuXgfbHhAeNQn8%40williamjbowman.com. >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Racket Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/df1qbsAjG0UlPL65pBoSA8ghltP0LiU6uLP1TRjUJPHWYhrfIGeaSTVgG0DQgPtg1aUNG5JJ7zXwlQS7-pDWdj3IHdz2aalKN9uTi1_i-jE%3D%40sagegerard.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/1841DEDF-998C-419B-B6F3-C8968590BF20%40williamjbowman.com.
