From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=MIME_QP_LONG_LINE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 32540 invoked from network); 31 Mar 2022 21:05:39 -0000 Received: from 4ess.inri.net (216.126.196.42) by inbox.vuxu.org with ESMTPUTF8; 31 Mar 2022 21:05:39 -0000 Received: from 5ess.inri.net ([107.191.111.177]) by 4ess; Thu Mar 31 16:26:23 -0400 2022 Received: from smtpclient.apple ([166.175.58.56]) by 5ess; Thu Mar 31 16:26:17 -0400 2022 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Stanley Lieber Mime-Version: 1.0 (1.0) Message-Id: <1E26D2D8-C31B-4DAC-A479-846E66E58F4A@stanleylieber.com> References: In-Reply-To: To: 9front@9front.org Date: Thu, 31 Mar 2022 16:26:15 -0400 X-Mailer: iPhone Mail (19E241) List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: stable base element-oriented grid wrapper Subject: Re: [9front] 4chan hacked rc-httpd Reply-To: 9front@9front.org Precedence: bulk it=E2=80=99s a little more complex than just binding /bin because we serve c= gi, but yes, some rudimentary sandboxing would be superior to what we=E2=80=99= ve been doing for the past ten years. sl > On Mar 31, 2022, at 4:22 PM, Kurt H Maier wrote: >=20 > =EF=BB=BFOn Thu, Mar 31, 2022 at 07:35:37PM +0000, sirjofri wrote: >> Hey, >>=20 >> doesn't rc-httpd bind /usr/web / like tcp80 and httpd does? At least, it=20= >> could mkdir /usr/web/bin && bind /bin /usr/web/bin and then bind /usr/web= =20 >> /. >>=20 >> At least that's what I'd do. >>=20 >> I tested on my web server which runs tcp80 and I didn't have an issue=20 >> like that. >>=20 >> sirjofri >=20 > Patches welcome -- currently we're just kicking out errors for requests > with this crap in the url. =20 >=20 > khm >=20