On 2021-03-28 15:37, Paul W. Rankin wrote:
I'm running cgit with httpd + slowcgi and can't seem to get the
about-filter to work. Both httpd and slowcgi run in the default chroot
of /var/www.
I've compiled lowdown with "-static -pie" to /var/www/bin/lowdown
(chroot /bin/lowdown) with permissions:
-rwxr-xr-x 1 root bin 1325512 Mar 4 01:38 /var/www/bin/lowdown
In my cgitrc (cgit.conf):
about-filter=/bin/lowdown
readme=:README.md
However, upon visiting an About page of a repo that includes a
README.md, I get only a blank page and the following is logged in
error.log:
lowdown: README.md: No such file or directory
Okay I figured this out, but the solution raises a troubling question...
The cgit about-filter doesn't want an executable to do e.g. the Markdown
conversation, rather it wants a script that will return the command to
perform this, e.g.:
#!/bin/sh
case "$1" in
(*.md) exec /bin/lowdown ;;
(*) exit ;;
esac
This works, i.e. README.md files are converted to HTML, but this
requires copying the sh binary into /var/www/bin, which is the troubling
part.
Is this an acceptable thing to do, security-wise?
