diff options
| author | Dennis Eriksen <d@ennis.no> | 2023-07-06 08:13:05 +0200 |
|---|---|---|
| committer | Dennis Eriksen <d@ennis.no> | 2023-07-06 08:13:05 +0200 |
| commit | f53cca4af37d59db4f190c9414c0033d05d379cc (patch) | |
| tree | 530e4dc3e1766a9f458626e211bab50156570a17 /src | |
| parent | adding lincence, and some other useful stuff (diff) | |
| download | purl-rs-f53cca4af37d59db4f190c9414c0033d05d379cc.tar.gz | |
adding pledge(2) and unveil(2) for openbsd, and fixing some typos and stuff
Diffstat (limited to 'src')
| -rw-r--r-- | src/main.rs | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/main.rs b/src/main.rs index 638a9a0..ab5a1d4 100644 --- a/src/main.rs +++ b/src/main.rs @@ -16,14 +16,19 @@ use std::process::exit; use dotenv; use postgres::{Client, NoTls}; use dumb_cgi::{Request, EmptyResponse, Query}; +use pledge::pledge_promises; use rand::{thread_rng, Rng, distributions::Alphanumeric}; use regex::Regex; +use unveil::unveil; use url::Url; // Do the dirty fn main() { + // Let's drop some privileges before we do anything else + drop_privs(); + // Get variables from dotenv, or use defaults let dburl:&str = &dotenv::var("DATABASE_URL").unwrap_or("postgresql://localhost/purl-rs".to_string()); let create_uri:&str = &dotenv::var("CREATE_URI").unwrap_or("/create".to_string()); @@ -267,4 +272,22 @@ fn check_short(short:&str) -> bool { } +// +// Drop privileges +// +fn drop_privs() { + // Restrict what files we can access. See unveil(2) + unveil(".env", "r") + .or_else(unveil::Error::ignore_platform) + .unwrap(); + unveil("", "") + .or_else(unveil::Error::ignore_platform) + .unwrap(); + + // Restrict what system calls we can access. See pledge(2) + pledge_promises![Stdio Rpath Inet Dns] + .or_else(pledge::Error::ignore_platform) + .unwrap(); +} + // end of file |