Why is my sandbox trying to access /etc/ssl/certs.pem?
40 views
Skip to first unread message
William J. Bowman
Jan 4, 2021, 6:47:36 PM1/4/21
to Racket Users
I have a sandbox that loads scribble/manual (indirectly) to render some HTML.
But it crashes with the following error:
> racket -e "(require racket/sandbox)" -e "((make-evaluator 'racket/base) '(require scribble/manual))"
file-exists?: `exists' access denied for /etc/ssl/cert.pem
errortrace...:
context...:
do-error
security-guard-check-file
->host
file-exists?
..../racket/racket/collects/openssl/mzssl.rkt:397:0: x509-root-sources
interpret
[repeats 1 more time]
proc
call-in-empty-metacontinuation-frame
body of "..../racket/racket/collects/openssl/mzssl.rkt"
interpret-expr
body of top-level
run-module-instance!
[repeats 12 more times]
perform-require!
loop
This is strange, since openssl shouldn't actually be needed.
I could just allow access to the file, but the path depends on which operating system I'm running on making this slightly complicated, and the access isn't necessary.
Is there some way to trick Racket into not trying to do this, or else some parameter I can use to provide access to whatever openssl is going to try to touch without hardcoding the paths?
--
William J. Bowman
But it crashes with the following error:
> racket -e "(require racket/sandbox)" -e "((make-evaluator 'racket/base) '(require scribble/manual))"
file-exists?: `exists' access denied for /etc/ssl/cert.pem
errortrace...:
context...:
do-error
security-guard-check-file
->host
file-exists?
..../racket/racket/collects/openssl/mzssl.rkt:397:0: x509-root-sources
interpret
[repeats 1 more time]
proc
call-in-empty-metacontinuation-frame
body of "..../racket/racket/collects/openssl/mzssl.rkt"
interpret-expr
body of top-level
run-module-instance!
[repeats 12 more times]
perform-require!
loop
This is strange, since openssl shouldn't actually be needed.
I could just allow access to the file, but the path depends on which operating system I'm running on making this slightly complicated, and the access isn't necessary.
Is there some way to trick Racket into not trying to do this, or else some parameter I can use to provide access to whatever openssl is going to try to touch without hardcoding the paths?
--
William J. Bowman
Sage Gerard
Jan 4, 2021, 6:53:27 PM1/4/21
to William J. Bowman, Racket Users
If you just want to silence the error with a blunt instrument, then you could
try a parameterization where sandbox-path-permissions is set to:
(append (map (λ (p) `(exists ,p)) (filesystem-root-list)
(sandbox-path-permissions)))
This suffices since it is an existential check, not a file read.
~slg
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> William J. Bowman
>
> ------------------
>
> You received this message because you are subscribed to the Google Groups "Racket Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/X/OpEPyvzOyzQql2%40williamjbowman.com.
try a parameterization where sandbox-path-permissions is set to:
(append (map (λ (p) `(exists ,p)) (filesystem-root-list)
(sandbox-path-permissions)))
This suffices since it is an existential check, not a file read.
~slg
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> William J. Bowman
>
> ------------------
>
> You received this message because you are subscribed to the Google Groups "Racket Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/X/OpEPyvzOyzQql2%40williamjbowman.com.
Sage Gerard
Jan 4, 2021, 7:07:20 PM1/4/21
to William J. Bowman, Racket Users
Heads up: My earlier example was missing a closing paren. Also just saw that your subject line asked "Why", so I checked.
openssl/mzssl provides a parameter called `ssl-default-verify-sources'. See [1]. The parameter is created during module instantiation with a OS-dependent default value.
When you create a sandboxed evaluator, it is impacted by several parameters. The default values of those parameters have little to no trust in the code, and will deny ALL filesystem access. Also, all Racket modules that are not shared with the evaluator are instantiated again. So you need to account for what happens as a side effect of all instantiations needed to get the evaluator up and running. If some module somewhere happens to require openssl/mzssl (even if you don't need it), then you are impacted by the permissions on the evaluator.
My earlier example was crude precisely because it is a blanket grant of existential checks for all filesystem paths. For better security habits, you can just add one `exists' permission to `(sandbox-path-permissions)' based on the value of `(ssl-default-verify-sources)'.
[1]: https://docs.racket-lang.org/openssl/index.html?q=ssl-default-verify-sources#%28def._%28%28lib._openssl%2Fmain..rkt%29._ssl-default-verify-sources%29%29
~slg
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > William J. Bowman
openssl/mzssl provides a parameter called `ssl-default-verify-sources'. See [1]. The parameter is created during module instantiation with a OS-dependent default value.
When you create a sandboxed evaluator, it is impacted by several parameters. The default values of those parameters have little to no trust in the code, and will deny ALL filesystem access. Also, all Racket modules that are not shared with the evaluator are instantiated again. So you need to account for what happens as a side effect of all instantiations needed to get the evaluator up and running. If some module somewhere happens to require openssl/mzssl (even if you don't need it), then you are impacted by the permissions on the evaluator.
My earlier example was crude precisely because it is a blanket grant of existential checks for all filesystem paths. For better security habits, you can just add one `exists' permission to `(sandbox-path-permissions)' based on the value of `(ssl-default-verify-sources)'.
[1]: https://docs.racket-lang.org/openssl/index.html?q=ssl-default-verify-sources#%28def._%28%28lib._openssl%2Fmain..rkt%29._ssl-default-verify-sources%29%29
~slg
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
William J. Bowman
Jan 4, 2021, 7:10:13 PM1/4/21
to Sage Gerard, Racket Users
Thanks for the explanation.
I can't figure out why scribble/manual needs openssl, but oh well.
After reading through openssl, I've gone with a slightly less blunt instrument:
> (require/expose openssl/mzssl (X509_get_default_cert_file))
>
> ...
> [sandbox-path-permissions (append `((exists
> ,(X509_get_default_cert_file)))
> (sandbox-path-permissions))]
> ...
--
William J. Bowman
> --
I can't figure out why scribble/manual needs openssl, but oh well.
After reading through openssl, I've gone with a slightly less blunt instrument:
> (require/expose openssl/mzssl (X509_get_default_cert_file))
>
> ...
> [sandbox-path-permissions (append `((exists
> ,(X509_get_default_cert_file)))
> (sandbox-path-permissions))]
> ...
--
William J. Bowman
> You received this message because you are subscribed to the Google Groups "Racket Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/qQRDoCYwXeJy2_f_PXvZkjoBUmmKChpSJzN6XCGWFz11VsXOuhzFEArD2-2FuR4Mui8gx3MAX2v5aX_bF21izapOF9peJ7Y3P0eg3Vei3yM%3D%40sagegerard.com.
> To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.
Sage Gerard
Jan 4, 2021, 7:15:25 PM1/4/21
to William J. Bowman, Racket Users
I don't know if Scribble needs OpenSSL, but a dependency probably does. The only precondition of that error is that openssl/mzssl appears *somewhere* among the dependencies. I run into that same error for evaluators that have nothing to do with Scribble.
~slg
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/X/OuXgfbHhAeNQn8%40williamjbowman.com.
~slg
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 4, 2021 7:10 PM, 'William J. Bowman' via Racket Users <racket...@googlegroups.com> wrote:
> Thanks for the explanation.
>
> I can't figure out why scribble/manual needs openssl, but oh well.
>
> After reading through openssl, I've gone with a slightly less blunt instrument:
>
> > (require/expose openssl/mzssl (X509_get_default_cert_file))
> > ...
> > [sandbox-path-permissions (append `((exists
> > ,(X509_get_default_cert_file)))
> > (sandbox-path-permissions))]
> > ...
>
> --
>
> William J. Bowman
>
> On Tue, Jan 05, 2021 at 12:07:12AM +0000, Sage Gerard wrote:
>
> > Heads up: My earlier example was missing a closing paren. Also just saw that your subject line asked "Why", so I checked.
> > openssl/mzssl provides a parameter called `ssl-default-verify-sources'. See 1. The parameter is created during module instantiation with a OS-dependent default value.
> Thanks for the explanation.
>
> I can't figure out why scribble/manual needs openssl, but oh well.
>
> After reading through openssl, I've gone with a slightly less blunt instrument:
>
> > (require/expose openssl/mzssl (X509_get_default_cert_file))
> > ...
> > [sandbox-path-permissions (append `((exists
> > ,(X509_get_default_cert_file)))
> > (sandbox-path-permissions))]
> > ...
>
> --
>
> William J. Bowman
>
> On Tue, Jan 05, 2021 at 12:07:12AM +0000, Sage Gerard wrote:
>
> > Heads up: My earlier example was missing a closing paren. Also just saw that your subject line asked "Why", so I checked.
> > When you create a sandboxed evaluator, it is impacted by several parameters. The default values of those parameters have little to no trust in the code, and will deny ALL filesystem access. Also, all Racket modules that are not shared with the evaluator are instantiated again. So you need to account for what happens as a side effect of all instantiations needed to get the evaluator up and running. If some module somewhere happens to require openssl/mzssl (even if you don't need it), then you are impacted by the permissions on the evaluator.
> > My earlier example was crude precisely because it is a blanket grant of existential checks for all filesystem paths. For better security habits, you can just add one `exists' permission to`(sandbox-path-permissions)' based on the value of `(ssl-default-verify-sources)'.
> > My earlier example was crude precisely because it is a blanket grant of existential checks for all filesystem paths. For better security habits, you can just add one `exists' permission to`(sandbox-path-permissions)' based on the value of `(ssl-default-verify-sources)'.
Robby Findler
Jan 4, 2021, 7:27:23 PM1/4/21
to Sage Gerard, William J. Bowman, Racket Users
If you open a file that requires scribble/manual with the module browser (available via the Racket menu item in DrRacket), you'll see that ssl is needed by the code that opens urls (presumably to do https) which is needed by the code that handles planet requires (since planet requires may involve http requests) which is needed by the code that handles tags (presumably these tags go via require paths, maybe?) in scribble. At least, I think I might be getting that right.
Robby
William J. Bowman
Jan 4, 2021, 7:45:51 PM1/4/21
to Robby Findler, Sage Gerard, Racket Users
Ah! I didn’t know about the module browser, thanks! And I guess this chain makes sense.
--
Sent from my phoneamajig
On Jan 4, 2021, at 16:27, Robby Findler <ro...@cs.northwestern.edu> wrote:
Robby Findler
Jan 4, 2021, 7:55:18 PM1/4/21
to William J. Bowman, Racket Users, Sage Gerard
Complicated systems are surprising! Somehow each little step wasn't completely crazy .... and yet .... there must be a lesson in here somewhere. :)
Robby
To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/1841DEDF-998C-419B-B6F3-C8968590BF20%40williamjbowman.com.
Reply all
Reply to author
Forward
0 new messages