From: Jacob Moody <moody@mail.posixcafe.org>
To: 9front@9front.org
Subject: Re: [9front] httpd minimal configuration
Date: Tue, 21 Jun 2022 07:15:50 -0600 [thread overview]
Message-ID: <4a8d0815-0bd5-91e1-0a7a-048088dbd2c2@posixcafe.org> (raw)
In-Reply-To: <yRRvar7ERrJB3c1s1AzWaUgb1lA0r2eWSJEiDFRfuqQWKFuz1XSvBEP8nbvVzMSW7F7nXKBmqr-NOBJbK79Tl45j8TORPHfw4pyBiiR8XJI=@proton.me>
On 6/21/22 06:58, planless.user9 wrote:
> Thank you very much for your fast and helpful reply.
>
> I will look at the source code in that case, hoping to get a simple web server set up.
>
> Are there concrete insecurities in the implementation of namespaces?
>
Some thoughts:
First off you seemed to imply that rc-httpd had to be used with werc, this is not the case.
If your goal is to just serve some static files rc-httpd on its own is more then capable. I would be
curious to hear your reasoning for preferring httpd.
Hiro claims that namespaces are not security boundaries. I think I would agree
maybe 6 months ago, but some work has been done lately to change this.
I'd argue that with chdev and auth/box we're in a much much nicer spot
in regards to making namespaces proper security boundaries, if you still disagree
with this statement I would be curious to hear what you think still needs changed.
Also you mention /lib/namespace.httpd, it _is_ expected that you customize it for your
system, modify it to place your webroot in the right spot.
However if you are using rc-httpd with aux/listen, there is a namespace file already
that takes advantage of newer security features: /rc/bin/service/!tcp80.namespace.
If you would wish to use this, cp /rc/bin/!tcp80 /rc/bin/tcp80 and cp /rc/bin/!tcp80.namespace
/rc/bin/tcp80.namespace, then customize as desired.
If you need some tips on writing/reading namespace files, check namespace(6), and the associated
(1) pages for commands mirrored in namespace files.
Thanks,
moody
next prev parent reply other threads:[~2022-06-21 13:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 11:48 planless.user9
2022-06-21 12:23 ` hiro
2022-06-21 12:31 ` hiro
2022-06-21 12:58 ` planless.user9
2022-06-21 13:15 ` Jacob Moody [this message]
2022-06-21 14:06 ` planless.user9
2022-06-21 18:40 ` sirjofri
2022-06-22 6:25 ` william
2022-06-22 9:09 ` planless.user9
2022-06-22 9:29 ` umbraticus
2022-06-22 10:38 ` hiro
2022-06-21 17:52 ` mkf9
2022-06-21 17:44 ` mkf9
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4a8d0815-0bd5-91e1-0a7a-048088dbd2c2@posixcafe.org \
--to=moody@mail.posixcafe.org \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).