On Thu, Sep 26, 2019 at 05:27:08PM +0200, Solene Rapenne wrote: > Hi, now that we have OpenBSD::pledge I thought it would be nice to use > it in devel/cvsweb > > I've been able to tight it to "rpath proc exec prot_exec", removing > wpath and cpath was possible by commenting lines piping STDERROR to > /dev/null, that doesn't mean creating dev/null is not required anymore, > it's still required for cvsweb to work correctly (due to rlog I think). > > I updated pkg/README because this requires OpenBSD/Pledge.pm and a so > file to be copied into the chroot too. > > I had some testing on www repository by lot of people and it worked > perfectly.
Be careful that error messages do not show up on the web pages generated by not redirecting stderr... -Otto > > > Index: Makefile > =================================================================== > RCS file: /data/cvs/ports/devel/cvsweb/Makefile,v > retrieving revision 1.62 > diff -u -p -r1.62 Makefile > --- Makefile 12 Jul 2019 20:44:07 -0000 1.62 > +++ Makefile 26 Sep 2019 14:24:53 -0000 > @@ -3,7 +3,7 @@ > COMMENT= CGI script to browse CVS repository trees > > DISTNAME= cvsweb-2.0.6 > -REVISION= 27 > +REVISION= 28 > CATEGORIES= devel www > HOMEPAGE= http://www.freebsd.org/projects/cvsweb.html > > Index: patches/patch-cvsweb_cgi > =================================================================== > RCS file: /data/cvs/ports/devel/cvsweb/patches/patch-cvsweb_cgi,v > retrieving revision 1.13 > diff -u -p -r1.13 patch-cvsweb_cgi > --- patches/patch-cvsweb_cgi 7 Apr 2013 20:07:24 -0000 1.13 > +++ patches/patch-cvsweb_cgi 26 Sep 2019 15:21:46 -0000 > @@ -1,6 +1,7 @@ > $OpenBSD: patch-cvsweb_cgi,v 1.13 2013/04/07 20:07:24 naddy Exp $ > ---- cvsweb.cgi.orig Thu Sep 26 22:56:05 2002 > -+++ cvsweb.cgi Sun Apr 7 14:15:55 2013 > +Index: cvsweb.cgi > +--- cvsweb.cgi.orig > ++++ cvsweb.cgi > @@ -1,4 +1,4 @@ > -#!/usr/bin/perl -wT > +#!/usr/bin/perl -w > @@ -37,7 +38,27 @@ $OpenBSD: patch-cvsweb_cgi,v 1.13 2013/0 > ); > > @LOGSORTKEYS = qw(cvs date rev); > -@@ -2014,20 +2009,6 @@ sub doDiff($$$$$$) { > +@@ -249,7 +244,10 @@ EOM > + > + use Time::Local (); > + use IPC::Open2 qw(open2); > ++use OpenBSD::Pledge; > + > ++pledge( qw( rpath proc exec prot_exec ) ) || die "Can't pledge: $!"; > ++ > + # Check if the zlib C library interface is installed, and if yes > + # we can avoid using the extra gzip process. > + eval { require Compress::Zlib; }; > +@@ -1578,7 +1576,7 @@ sub openOutputFilter() { > + open(STDOUT, "|-") and return; > + > + # child of child > +- open(STDERR, '>/dev/null'); > ++ #open(STDERR, '>/dev/null'); > + exec($output_filter) or exit -1; > + } > + > +@@ -2014,20 +2012,6 @@ sub doDiff($$$$$$) { > my @difftype = @{$difftype->{'opts'}}; > my $human_readable = $difftype->{'colored'}; > > @@ -58,7 +79,24 @@ $OpenBSD: patch-cvsweb_cgi,v 1.13 2013/0 > if ($human_readable) { > if ($hr_ignwhite) { > push @difftype, '-w'; > -@@ -2658,7 +2639,7 @@ sub printLog($;$) { > +@@ -2128,14 +2112,14 @@ sub getDirLogs($$@) { > + > + #can't use -r<tag> as - is allowed in tagnames, but > misinterpreated by rlog.. > + if (!open($fh, "-|")) { # child > +- open(STDERR, '>/dev/null'); # rlog may complain; ignore. > ++ #open(STDERR, '>/dev/null'); # rlog may complain; > ignore. > + openOutputFilter(); > + exec($CMD{rlog}, @files) or exit -1; > + } > + } else { > + > + if (!open($fh, "-|")) { # child > +- open(STDERR, '>/dev/null'); # rlog may complain; ignore. > ++ #open(STDERR, '>/dev/null'); # rlog may complain; > ignore. > + openOutputFilter(); > + exec($CMD{rlog}, '-r', @files) or exit -1; > + } > +@@ -2658,7 +2642,7 @@ sub printLog($;$) { > if (/^1\.1\.1\.\d+$/) { > print " <i>(vendor branch)</i>"; > } > Index: pkg/README > =================================================================== > RCS file: /data/cvs/ports/devel/cvsweb/pkg/README,v > retrieving revision 1.18 > diff -u -p -r1.18 README > --- pkg/README 2 May 2019 18:58:38 -0000 1.18 > +++ pkg/README 26 Sep 2019 14:24:47 -0000 > @@ -22,7 +22,7 @@ cd /var/www/usr > mkdir -p bin lib libdata/perl5 libexec > > cd /var/www/usr/libdata/perl5 > -mkdir -p File IPC Time warnings `arch -s`-openbsd/auto/{Cwd,Fcntl} unicore > +mkdir -p File IPC Time warnings `arch > -s`-openbsd/auto/{Cwd,Fcntl,OpenBSD/Pledge} `arch -s`-openbsd/OpenBSD unicore > > # The "annotate" function requires this empty file: > # > @@ -72,6 +72,8 @@ cp -p /usr/libdata/perl5/`arch -s`-openb > cp -p /usr/libdata/perl5/`arch -s`-openbsd/DynaLoader.pm . > cp -p /usr/libdata/perl5/`arch -s`-openbsd/Fcntl.pm . > cp -p /usr/libdata/perl5/`arch -s`-openbsd/auto/Fcntl/Fcntl.so ./auto/Fcntl/ > +cp -p /usr/libdata/perl5/`arch -s`-openbsd/OpenBSD/Pledge.pm ./OpenBSD/ > +cp -p /usr/libdata/perl5/`arch -s`-openbsd/auto/OpenBSD/Pledge/Pledge.so > ./auto/OpenBSD/Pledge/ > > # You also need to enable slowcgi(8): > >