Page MenuHomeFreeBSD

www/obhttpd: Patch for OpenBSD 6.0 errata.
AbandonedPublic

Authored by jrm on Feb 13 2017, 8:17 PM.

Details

Reviewers
swills
AMDmi3
Summary

www/obhttpd: Patch for OpenBSD 6.0 errata.

PR 216752 submitted by t@tobik.me

While here

  • patch the man pages to refer to the correct names and file paths on FreeBSD
  • create directories for a simple, working default configuration
Test Plan

portlint -C: OK
testport: OK (poudriere: 10.3-RELEASE-p10, i386)
testport: OK (poudriere: 10.3-RELEASE-p10, amd64)
testport: OK (poudriere: 11.0-RELEASE-p1, i386)
testport: OK (poudriere: 11.0-RELEASE-p1, amd64)

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 7518
Build 7677: arc lint + arc unit

Event Timeline

jrm retitled this revision from to www/obhttpd: Patch for OpenBSD 6.0 errata..
jrm updated this object.
jrm edited the test plan for this revision. (Show Details)
jrm added reviewers: swills, AMDmi3.
jrm added a subscriber: tobik.

Works fine for me. This is much better than having to create all those dirs yourself. :)

www/obhttpd/files/patch-usr.sbin_httpd_httpd.conf.5
60

As you said in the PR, the www user has a nonexistent home on FreeBSD. We could change httpd.c by replacing

env->sc_chroot = ps->ps_pw->pw_dir;

with

env->sc_chroot = "%%WWWDIR%%";

and in proc.c

root = pw->pw_dir

by

root = "%%WWWDIR%%";

Then having chroot in obhttpd.conf isn't necessary anymore and the man page could just say

If not specified, it defaults to
.Pa %%WWWDIR%% .

Thanks for testing. Setting the default chroot directory sounds reasonable. Since this is an important change with possible unintended implications, I would like to get feedback from someone on port-secteam and the maintainer.

Another possible option would be to create a new user account, set its home directory, and have obhttpd run as a that user. I believe that would require just a one-line patch in httpd.h.

Set a default chroot directory as suggested by Tobik.

jrm marked an inline comment as done.

Fix typo in httpd.conf.5 patch.

  1. This is not the correct way to set chroot path. There is option in the configuration file for this.
  2. Why is necessary to modify etc/example/httpd.conf, this is just example configuration file?
  3. The ticket in bugzilla was created because of OpenBSD 6.0 errata 17, Jan 31, 2017 and httpd needs security fix and I approved the patch. Currently in the same diff there are changes which have nothing in common with the necessary security fix. Merging different tasks in same diff is not a good practice.
  1. This is only to set the default chroot, when one is not specified in the configuration file.
  2. The sample configuration file, which is copied to be the default configuration file, was broken before. When the user installed the package and did
service obhttpd onestart

it would fail. Now it does not.

  1. Yes, I can agree here. This diff snowballed into something bigger than originally intended, but all these changes fix something that was broken before.

To elaborate on 1., the current default is the www user's home directory. On OpenBSD this is /var/root. On FreeBSD, the www user has a nonexistent home directory.

I will pull out the other changes and only commit the errata fix.