config: separate tmp dir for sockets, users

* add $LOGNAME to the tmp directory name, so that tmpdirs of separate users don't conflict * use separate directory for sockets, so that we do not have to give buffers access to all cached pages
author: bptato <nincsnevem662@gmail.com> 2024-05-16 18:35:22 +0200
committer: bptato <nincsnevem662@gmail.com> 2024-05-16 18:58:13 +0200
commit: ed84d7223fd8945705dcedd204fee137b249c524 (patch)
tree: 3539b9ccb5af2de6ad66e6d3362bff83abc1df88
parent: 87a5c636eb203cd066a620129f93c30b02245ad9 (diff)
download: chawan-ed84d7223fd8945705dcedd204fee137b249c524.tar.gz
7 files changed, 22 insertions, 22 deletions
diff --git a/res/config.toml b/res/config.toml
index 23f37846..f126467c 100644
--- a/res/config.toml
+++ b/res/config.toml
@@ -237,7 +237,8 @@ urimethodmap = [
 	"/etc/urimethodmap",
 	"/usr/local/etc/w3m/urimethodmap"
 ]
-tmpdir = "/tmp/cha"
+tmpdir = "/tmp/cha-tmp-$LOGNAME"
+sockdir = "/tmp/cha-sock-$LOGNAME"
 editor = "${EDITOR:-vi}"
 cgi-dir = "${%CHA_LIBEXEC_DIR}/cgi-bin"
 download-dir = "/tmp/"
diff --git a/src/config/config.nim b/src/config/config.nim
index 872f0440..4869d79c 100644
--- a/src/config/config.nim
+++ b/src/config/config.nim
@@ -86,6 +86,7 @@ type
 
   ExternalConfig = object
     tmpdir* {.jsgetset.}: ChaPathResolved
+    sockdir* {.jsgetset.}: ChaPathResolved
     editor* {.jsgetset.}: string
     mailcap*: Mailcap
     mime_types*: MimeTypes
@@ -149,10 +150,6 @@ type
     page* {.jsget.}: ActionMap
     line* {.jsget.}: ActionMap
 
-  ForkServerConfig* = object
-    tmpdir*: string
-    ambiguous_double*: bool
-
 jsDestructor(ActionMap)
 jsDestructor(StartConfig)
 jsDestructor(CSSConfig)
@@ -284,12 +281,6 @@ proc readUserStylesheet(dir, file: string): string =
     result = s.readAll()
     s.close()
 
-proc getForkServerConfig*(config: Config): ForkServerConfig =
-  return ForkServerConfig(
-    tmpdir: config.external.tmpdir,
-    ambiguous_double: config.display.double_width_ambiguous
-  )
-
 type ConfigParser = object
   config: Config
   dir: string
diff --git a/src/loader/loader.nim b/src/loader/loader.nim
index 8c5fd5d5..c378523b 100644
--- a/src/loader/loader.nim
+++ b/src/loader/loader.nim
@@ -124,6 +124,7 @@ type
     uriMethodMap*: URIMethodMap
     w3mCGICompat*: bool
     tmpdir*: string
+    sockdir*: string
 
   LoaderClientConfig* = object
     cookieJar*: CookieJar
@@ -705,7 +706,7 @@ proc initLoaderContext(fd: cint; config: LoaderConfig): LoaderContext =
   gctx = ctx
   let myPid = getCurrentProcessId()
   # we don't capsicumize loader, so -1 is appropriate here
-  ctx.ssock = initServerSocket(config.tmpdir, -1, myPid, blocking = true)
+  ctx.ssock = initServerSocket(config.sockdir, -1, myPid, blocking = true)
   let sfd = int(ctx.ssock.sock.getFd())
   ctx.selector.registerHandle(sfd, {Read}, 0)
   # The server has been initialized, so the main process can resume execution.
diff --git a/src/local/client.nim b/src/local/client.nim
index f5e722e3..07a7c523 100644
--- a/src/local/client.nim
+++ b/src/local/client.nim
@@ -427,10 +427,10 @@ proc acceptBuffers(client: Client) =
     client.selector.registerHandle(fd, {Read, Write}, 0)
   for item in pager.procmap:
     let container = item.container
-    let stream = connectSocketStream(client.config.external.tmpdir,
+    let stream = connectSocketStream(client.config.external.sockdir,
       client.loader.sockDirFd, container.process)
     # unlink here; on Linux we can't unlink from the buffer :/
-    discard tryRemoveFile(getSocketPath(client.config.external.tmpdir,
+    discard tryRemoveFile(getSocketPath(client.config.external.sockdir,
       container.process))
     if stream == nil:
       pager.alert("Error: failed to set up buffer")
@@ -838,10 +838,11 @@ proc newClient*(config: Config; forkserver: ForkServer; jsctx: JSContext;
     urimethodmap: config.external.urimethodmap,
     w3mCGICompat: config.external.w3m_cgi_compat,
     cgiDir: seq[string](config.external.cgi_dir),
-    tmpdir: config.external.tmpdir
+    tmpdir: config.external.tmpdir,
+    sockdir: config.external.sockdir
   ))
   let loader = FileLoader(process: loaderPid, clientPid: getCurrentProcessId())
-  loader.setSocketDir(config.external.tmpdir)
+  loader.setSocketDir(config.external.sockdir)
   pager.setLoader(loader)
   let client = Client(
     config: config,
diff --git a/src/main.nim b/src/main.nim
index b28d6f24..a5c7d3dc 100644
--- a/src/main.nim
+++ b/src/main.nim
@@ -206,9 +206,10 @@ proc main() =
   if ctx.pages.len == 0 and not config.start.headless:
     if stdin.isatty():
       help(1)
-  # make sure tmpdir actually exists; if we do this later, then forkserver may
-  # try to open an empty dir
+  # make sure tmpdir & sockdir both exist; if we do this later, then
+  # forkserver may try to open an empty dir
   createDir(config.external.tmpdir)
+  createDir(config.external.sockdir)
   forkserver.loadForkServerConfig(config)
   let client = newClient(config, forkserver, jsctx, warnings)
   try:
diff --git a/src/server/forkserver.nim b/src/server/forkserver.nim
index 23204629..5d466292 100644
--- a/src/server/forkserver.nim
+++ b/src/server/forkserver.nim
@@ -41,6 +41,10 @@ type
     sockDirFd: int
     sockDir: string
 
+  ForkServerConfig* = object
+    sockdir*: string
+    ambiguous_double*: bool
+
 proc forkLoader*(forkserver: ForkServer; config: LoaderConfig): int =
   forkserver.ostream.withPacketWriter w:
     w.swrite(fcForkLoader)
@@ -53,7 +57,10 @@ proc forkLoader*(forkserver: ForkServer; config: LoaderConfig): int =
 proc loadForkServerConfig*(forkserver: ForkServer; config: Config) =
   forkserver.ostream.withPacketWriter w:
     w.swrite(fcLoadConfig)
-    w.swrite(config.getForkServerConfig())
+    w.swrite(ForkServerConfig(
+      sockdir: config.external.sockdir,
+      ambiguous_double: config.display.double_width_ambiguous
+    ))
 
 proc removeChild*(forkserver: ForkServer; pid: int) =
   forkserver.ostream.withPacketWriter w:
@@ -234,7 +241,7 @@ proc runForkServer() =
           var config: ForkServerConfig
           r.sread(config)
           set_cjk_ambiguous(config.ambiguous_double)
-          ctx.sockDir = config.tmpdir
+          ctx.sockDir = config.sockdir
           when defined(freebsd):
             ctx.sockDirFd = open(cstring(ctx.sockDir), O_DIRECTORY)
     except EOFError:
diff --git a/src/utils/sandbox.nim b/src/utils/sandbox.nim
index 130389ab..0d0b5770 100644
--- a/src/utils/sandbox.nim
+++ b/src/utils/sandbox.nim
@@ -7,8 +7,6 @@
 #
 # On FreeBSD, we create a file descriptor to the directory sockets
 # reside in, and then use that for manipulating our sockets.
-#(TODO: currently this is the same directory as the cache directory, which
-# is sub-optimal because rogue buffers could access cached files.)
 #
 # Capsicum does not enable more fine-grained capability control, but
 # in practice the things it does enable should not be enough to harm the
author	bptato <nincsnevem662@gmail.com>	2024-05-16 18:35:22 +0200
committer	bptato <nincsnevem662@gmail.com>	2024-05-16 18:58:13 +0200
commit	ed84d7223fd8945705dcedd204fee137b249c524 (patch)
tree	3539b9ccb5af2de6ad66e6d3362bff83abc1df88
parent	87a5c636eb203cd066a620129f93c30b02245ad9 (diff)
download	chawan-ed84d7223fd8945705dcedd204fee137b249c524.tar.gz