commit 13e4d4f78b59136f0e590fbb4cb79a4c94551576 from: Alisdair MacLeod via: Alisdair MacLeod <131350026+admacleod@users.noreply.github.com> date: Fri Mar 27 11:41:13 2026 UTC Unveil /dev/urandom and SQLITE_TMPDIR for SQLite on OpenBSD SQLite internally opens /dev/urandom to seed its PRNG and searches /var/tmp, /usr/tmp, /tmp for temporary files. Both are blocked by the unveil sandbox, producing spurious accounting log entries. Unveil /dev/urandom unconditionally so SQLite gets proper entropy instead of falling back to time()+getpid(). For temp files, unveil the path in SQLITE_TMPDIR when set, letting deployers point it at the database directory already inside the chroot. Co-Authored-By: Claude Opus 4.6 (1M context) commit - 01e922766d6d214c765b616653c460adbd97d277 commit + 13e4d4f78b59136f0e590fbb4cb79a4c94551576 blob - f4454c6a1ab5c1c83b582245dc30311184f86d73 blob + b877f82e3dcd00ae23d8d76a3ce63b13384c1498 --- README.md +++ README.md @@ -49,9 +49,10 @@ This is safe to run repeatedly as it uses `CREATE TABL The configuration options are as follows: -| Env | Type | Description | -|------------|----------|------------------------------------------------------------| -| `DESKD_DB` | `string` | **Required.** The DSN used to access a sqlite database storing bookings. | +| Env | Type | Description | +|------------------|----------|------------------------------------------------------------| +| `DESKD_DB` | `string` | **Required.** The DSN used to access a sqlite database storing bookings. | +| `SQLITE_TMPDIR` | `string` | Directory for SQLite temporary files. On OpenBSD this should be set to the database directory so that temp files are accessible inside the `unveil` sandbox. | The parent directory of the database file must already exist and be writable by the application. `deskd` will not create directories automatically. @@ -122,6 +123,7 @@ server "deskd.example.com" { fastcgi { param SCRIPT_FILENAME "/cgi-bin/deskd" param DESKD_DB "/db/deskd.db" + param SQLITE_TMPDIR "/db" } } } blob - d65eb69ee4e046155131a909de53b5e85e5f3e47 blob + e889ef2141cd9def0b1f3aa302ba15309f7a89da --- deskd.c +++ deskd.c @@ -95,6 +95,29 @@ main(const int argc, char *argv[]) } free(dbpath); + /* SQLite reads /dev/urandom to seed its PRNG. */ + if (unveil("/dev/urandom", "r") != 0) { + fprintf(stderr, "unveil: /dev/urandom\n"); + return 1; + } + + /* + * If SQLITE_TMPDIR is set, unveil it so that SQLite can + * create temporary files there (statement journals, transient + * indices, materialised subqueries, VACUUM). On OpenBSD the + * default candidates (/var/tmp, /usr/tmp, /tmp) are blocked + * by unveil, so deployers should point SQLITE_TMPDIR at a + * directory that is already inside the chroot — typically + * the same directory that holds the database. + */ + const char *tmpdir = getenv("SQLITE_TMPDIR"); + if (tmpdir != NULL && *tmpdir != '\0') { + if (unveil(tmpdir, "rwc") != 0) { + fprintf(stderr, "unveil: %s\n", tmpdir); + return 1; + } + } + /* Lock the unveil list; no further paths can be added. */ if (unveil(NULL, NULL) != 0) { fprintf(stderr, "unveil lock failed\n");