Complicated systems are surprising! Somehow each little step wasn't completely crazy .... and yet .... there must be a lesson in here somewhere. :)
Robby On Mon, Jan 4, 2021 at 6:45 PM 'William J. Bowman' via Racket Users < [email protected]> wrote: > Ah! I didn’t know about the module browser, thanks! And I guess this chain > makes sense. > > -- > Sent from my phoneamajig > > On Jan 4, 2021, at 16:27, Robby Findler <[email protected]> wrote: > > > > If you open a file that requires scribble/manual with the module browser > (available via the Racket menu item in DrRacket), you'll see that ssl is > needed by the code that opens urls (presumably to do https) which is needed > by the code that handles planet requires (since planet requires may involve > http requests) which is needed by the code that handles tags (presumably > these tags go via require paths, maybe?) in scribble. At least, I think I > might be getting that right. > > Robby > > > On Mon, Jan 4, 2021 at 6:15 PM Sage Gerard <[email protected]> wrote: > >> I don't know if Scribble needs OpenSSL, but a dependency probably does. >> The only precondition of that error is that openssl/mzssl appears >> *somewhere* among the dependencies. I run into that same error for >> evaluators that have nothing to do with Scribble. >> >> ~slg >> >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Monday, January 4, 2021 7:10 PM, 'William J. Bowman' via Racket Users < >> [email protected]> wrote: >> >> > Thanks for the explanation. >> > >> > I can't figure out why scribble/manual needs openssl, but oh well. >> > >> > After reading through openssl, I've gone with a slightly less blunt >> instrument: >> > >> > > (require/expose openssl/mzssl (X509_get_default_cert_file)) >> > > ... >> > > [sandbox-path-permissions (append `((exists >> > > ,(X509_get_default_cert_file))) >> > > (sandbox-path-permissions))] >> > > ... >> > >> > -- >> > >> > William J. Bowman >> > >> > On Tue, Jan 05, 2021 at 12:07:12AM +0000, Sage Gerard wrote: >> > >> > > Heads up: My earlier example was missing a closing paren. Also just >> saw that your subject line asked "Why", so I checked. >> > > openssl/mzssl provides a parameter called >> `ssl-default-verify-sources'. See 1. The parameter is created during module >> instantiation with a OS-dependent default value. >> > > When you create a sandboxed evaluator, it is impacted by several >> parameters. The default values of those parameters have little to no trust >> in the code, and will deny ALL filesystem access. Also, all Racket modules >> that are not shared with the evaluator are instantiated again. So you need >> to account for what happens as a side effect of all instantiations needed >> to get the evaluator up and running. If some module somewhere happens to >> require openssl/mzssl (even if you don't need it), then you are impacted by >> the permissions on the evaluator. >> > > My earlier example was crude precisely because it is a blanket grant >> of existential checks for all filesystem paths. For better security habits, >> you can just add one `exists' permission to`(sandbox-path-permissions)' >> based on the value of `(ssl-default-verify-sources)'. >> > > ~slg >> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> > > On Monday, January 4, 2021 6:53 PM, Sage Gerard [email protected] >> wrote: >> > > >> > > > If you just want to silence the error with a blunt instrument, then >> you could >> > > > try a parameterization where sandbox-path-permissions is set to: >> > > > (append (map (λ (p) `(exists ,p)) (filesystem-root-list) >> > > > (sandbox-path-permissions))) >> > > > This suffices since it is an existential check, not a file read. >> > > > ~slg >> > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> > > > On Monday, January 4, 2021 6:47 PM, 'William J. Bowman' via Racket >> Users [email protected] wrote: >> > > > >> > > > > I have a sandbox that loads scribble/manual (indirectly) to >> render some HTML. >> > > > > But it crashes with the following error: >> > > > > >> > > > > > racket -e "(require racket/sandbox)" -e "((make-evaluator >> 'racket/base) '(require scribble/manual))" >> > > > > >> > > > > file-exists?: `exists' access denied for /etc/ssl/cert.pem >> > > > > errortrace...: >> > > > > context...: >> > > > > do-error >> > > > > security-guard-check-file >> > > > > ->host >> > > > > file-exists? >> > > > > ..../racket/racket/collects/openssl/mzssl.rkt:397:0: >> x509-root-sources >> > > > > interpret >> > > > > [repeats 1 more time] >> > > > > proc >> > > > > call-in-empty-metacontinuation-frame >> > > > > body of "..../racket/racket/collects/openssl/mzssl.rkt" >> > > > > interpret-expr >> > > > > body of top-level >> > > > > run-module-instance! >> > > > > [repeats 12 more times] >> > > > > perform-require! >> > > > > loop >> > > > > This is strange, since openssl shouldn't actually be needed. >> > > > > I could just allow access to the file, but the path depends on >> which operating system I'm running on making this slightly complicated, and >> the access isn't necessary. >> > > > > Is there some way to trick Racket into not trying to do this, or >> else some parameter I can use to provide access to whatever openssl is >> going to try to touch without hardcoding the paths? >> > > > > William J. Bowman >> > > > > You received this message because you are subscribed to the >> Google Groups "Racket Users" group. >> > > > > To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> > > > > To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/X/OpEPyvzOyzQql2%40williamjbowman.com >> . >> > > >> > > -- >> > > You received this message because you are subscribed to the Google >> Groups "Racket Users" group. >> > > To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> > > To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/qQRDoCYwXeJy2_f_PXvZkjoBUmmKChpSJzN6XCGWFz11VsXOuhzFEArD2-2FuR4Mui8gx3MAX2v5aX_bF21izapOF9peJ7Y3P0eg3Vei3yM%3D%40sagegerard.com >> . >> > >> > -- >> > >> > You received this message because you are subscribed to the Google >> Groups "Racket Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/X/OuXgfbHhAeNQn8%40williamjbowman.com >> . >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Racket Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/racket-users/df1qbsAjG0UlPL65pBoSA8ghltP0LiU6uLP1TRjUJPHWYhrfIGeaSTVgG0DQgPtg1aUNG5JJ7zXwlQS7-pDWdj3IHdz2aalKN9uTi1_i-jE%3D%40sagegerard.com >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/1841DEDF-998C-419B-B6F3-C8968590BF20%40williamjbowman.com > <https://groups.google.com/d/msgid/racket-users/1841DEDF-998C-419B-B6F3-C8968590BF20%40williamjbowman.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/CAL3TdOOrxXNAsC__K1B-nsr%2BcegEd4K%3DnycR5NxSV_x6iUgkow%40mail.gmail.com.
