Gotweb

Commit Diff

Commit:: 13e4d4f78b59136f0e590fbb4cb79a4c94551576
From:: Alisdair MacLeod <git@alisdairmacleod.co.uk>
Via:: Alisdair MacLeod <131350026+admacleod@users.noreply.github.com>
Date:: Fri Mar 27 11:41:13 2026 UTC
Message:: Unveil /dev/urandom and SQLITE_TMPDIR for SQLite on OpenBSD SQLite internally opens /dev/urandom to seed its PRNG and searches /var/tmp, /usr/tmp, /tmp for temporary files. Both are blocked by the unveil sandbox, producing spurious accounting log entries. Unveil /dev/urandom unconditionally so SQLite gets proper entropy instead of falling back to time()+getpid(). For temp files, unveil the path in SQLITE_TMPDIR when set, letting deployers point it at the database directory already inside the chroot. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Actions:: Patch | Tree

commit - 01e922766d6d214c765b616653c460adbd97d277
commit + 13e4d4f78b59136f0e590fbb4cb79a4c94551576
blob - f4454c6a1ab5c1c83b582245dc30311184f86d73
blob + b877f82e3dcd00ae23d8d76a3ce63b13384c1498
--- README.md
+++ README.md
@@ -49,9 +49,10 @@ This is safe to run repeatedly as it uses `CREATE TABL
 
 The configuration options are as follows:
 
-| Env        | Type     | Description                                                |
-|------------|----------|------------------------------------------------------------|
-| `DESKD_DB` | `string` | **Required.** The DSN used to access a sqlite database storing bookings. |
+| Env              | Type     | Description                                                |
+|------------------|----------|------------------------------------------------------------|
+| `DESKD_DB`       | `string` | **Required.** The DSN used to access a sqlite database storing bookings. |
+| `SQLITE_TMPDIR`  | `string` | Directory for SQLite temporary files. On OpenBSD this should be set to the database directory so that temp files are accessible inside the `unveil` sandbox. |
 
 The parent directory of the database file must already exist and be writable
 by the application. `deskd` will not create directories automatically.
@@ -122,6 +123,7 @@ server "deskd.example.com" {
 		fastcgi {
 			param SCRIPT_FILENAME "/cgi-bin/deskd"
 			param DESKD_DB "/db/deskd.db"
+			param SQLITE_TMPDIR "/db"
 		}
 	}
 }
blob - d65eb69ee4e046155131a909de53b5e85e5f3e47
blob + e889ef2141cd9def0b1f3aa302ba15309f7a89da
--- deskd.c
+++ deskd.c
@@ -95,6 +95,29 @@ main(const int argc, char *argv[])
 	}
 	free(dbpath);
 
+	/* SQLite reads /dev/urandom to seed its PRNG. */
+	if (unveil("/dev/urandom", "r") != 0) {
+		fprintf(stderr, "unveil: /dev/urandom\n");
+		return 1;
+	}
+
+	/*
+	 * If SQLITE_TMPDIR is set, unveil it so that SQLite can
+	 * create temporary files there (statement journals, transient
+	 * indices, materialised subqueries, VACUUM).  On OpenBSD the
+	 * default candidates (/var/tmp, /usr/tmp, /tmp) are blocked
+	 * by unveil, so deployers should point SQLITE_TMPDIR at a
+	 * directory that is already inside the chroot — typically
+	 * the same directory that holds the database.
+	 */
+	const char *tmpdir = getenv("SQLITE_TMPDIR");
+	if (tmpdir != NULL && *tmpdir != '\0') {
+		if (unveil(tmpdir, "rwc") != 0) {
+			fprintf(stderr, "unveil: %s\n", tmpdir);
+			return 1;
+		}
+	}
+
 	/* Lock the unveil list; no further paths can be added. */
 	if (unveil(NULL, NULL) != 0) {
 		fprintf(stderr, "unveil lock failed\n");