From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, NICE_REPLY_A,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 10977 invoked from network); 21 Jun 2022 13:19:06 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 21 Jun 2022 13:19:06 -0000 Received: from mail.posixcafe.org ([45.76.19.58]) by 9front; Tue Jun 21 09:16:52 -0400 2022 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=posixcafe.org; s=20200506; t=1655817409; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3UW9eoYhVMEzm+c3KpAsEZNYfS1vobWczQDR1i3784A=; b=WcHt7R2DTez0BWhJZOHG+S1NIe0nOwJrG6o+iUeTbcndp6bM48x2QvxYobqAdTyf1UMKUN 6RxVXNdK5EMCMu/vusYg0cllB5/0tElHNlcDkaqsbSMSA7n/fe49rVtyJtL4nxgNmpQZ4x KvXPx6mPI/qXPo57BA3DxRLqu6Lqfko= Received: from [192.168.168.200] (161-97-228-135.lpcnextlight.net [161.97.228.135]) by mail.posixcafe.org (OpenSMTPD) with ESMTPSA id 7bf7e9dd (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <9front@9front.org>; Tue, 21 Jun 2022 08:16:48 -0500 (CDT) Message-ID: <4a8d0815-0bd5-91e1-0a7a-048088dbd2c2@posixcafe.org> Date: Tue, 21 Jun 2022 07:15:50 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Content-Language: en-US To: 9front@9front.org References: From: Jacob Moody In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: immutable method WEB2.0 out-scaling-scale descriptor Subject: Re: [9front] httpd minimal configuration Reply-To: 9front@9front.org Precedence: bulk On 6/21/22 06:58, planless.user9 wrote: > Thank you very much for your fast and helpful reply. > > I will look at the source code in that case, hoping to get a simple web server set up. > > Are there concrete insecurities in the implementation of namespaces? > Some thoughts: First off you seemed to imply that rc-httpd had to be used with werc, this is not the case. If your goal is to just serve some static files rc-httpd on its own is more then capable. I would be curious to hear your reasoning for preferring httpd. Hiro claims that namespaces are not security boundaries. I think I would agree maybe 6 months ago, but some work has been done lately to change this. I'd argue that with chdev and auth/box we're in a much much nicer spot in regards to making namespaces proper security boundaries, if you still disagree with this statement I would be curious to hear what you think still needs changed. Also you mention /lib/namespace.httpd, it _is_ expected that you customize it for your system, modify it to place your webroot in the right spot. However if you are using rc-httpd with aux/listen, there is a namespace file already that takes advantage of newer security features: /rc/bin/service/!tcp80.namespace. If you would wish to use this, cp /rc/bin/!tcp80 /rc/bin/tcp80 and cp /rc/bin/!tcp80.namespace /rc/bin/tcp80.namespace, then customize as desired. If you need some tips on writing/reading namespace files, check namespace(6), and the associated (1) pages for commands mirrored in namespace files. Thanks, moody