From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=T_SCC_BODY_TEXT_LINE
	autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 29112 invoked from network); 10 Jul 2022 21:48:49 -0000
Received: from 9front.inri.net (168.235.81.73)
  by inbox.vuxu.org with ESMTPUTF8; 10 Jul 2022 21:48:49 -0000
Received: from mimir.eigenstate.org ([206.124.132.107]) by 9front; Sun Jul 10 17:47:42 -0400 2022
Received: from stockyard (ue.tmodns.net [172.58.219.134])
	by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id 7baf6bcd (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO)
	for <9front@9front.org>;
	Sun, 10 Jul 2022 14:47:30 -0700 (PDT)
Message-ID: <A17897B86C532B7A28743DBC933E3464@eigenstate.org>
To: 9front@9front.org
Date: Sun, 10 Jul 2022 17:47:27 -0400
From: ori@eigenstate.org
In-Reply-To: <6bb0ee7b-0916-a6df-913e-3f41256ce1eb@posixcafe.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: scale-out singleton shader 
Subject: Re: [9front] [PATCH] private /srv attach option
Reply-To: 9front@9front.org
Precedence: bulk

Quoth Jacob Moody <moody@mail.posixcafe.org>:
> This patch add a 'p' attach option to srv to get a private session.
> The sessions work similarly to #| sessions.
> 
> Attaching a private /srv does not effect future
> attaches to '#s' without the private option.
> I figure the global /srv can be explicitly
> given up through chdev if desired.
> 
> 

For those following along, https://shithub.us is now running
an updated version of this code, along with the patch to grow
the size of args, and a slightly tweaked version of auth/box.

sandboxing is now done with:

	#!/bin/auth/box -r/mnt -r/usr/git -r/sys/lib/tcp80 -r/usr/web -r/sys/lib/shithub -r/n -r/dev -eM -s
	
	<[3]/srv/clone{
		d=`{<[0=3]read}
		bind /srv/$d /srv
		# ugly, but we don't want to leak the clone fd into
		# procs that may stick around.
		<[3=0]{
			rfork n
			bind /usr/web /mnt/static
			execfs -m /usr/web /sys/lib/tcp80/gitrules
			bind /mnt/static /usr/web/static
			rfork n
			cd /
			exec /bin/tcp80
		}
	}

using auth/box as a #! line is quite nice, though even
with the `-s` option, the lines tend to get a bit long.