<br><div class="gmail_quote">On Tue, Aug 16, 2011 at 9:43 PM, Igor Stasenko <span dir="ltr"><<a href="mailto:siguctua@gmail.com">siguctua@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5"><br>
On 16 August 2011 22:02, laurent laffont <<a href="mailto:laurent.laffont@gmail.com">laurent.laffont@gmail.com</a>> wrote:<br>
><br>
>><br>
>> ><br>
>> > On Tue, Aug 16, 2011 at 6:46 PM, Igor Stasenko <<a href="mailto:siguctua@gmail.com">siguctua@gmail.com</a>> wrote:<br>
>> >><br>
>> >> On 16 August 2011 16:42, laurent laffont <<a href="mailto:laurent.laffont@gmail.com">laurent.laffont@gmail.com</a>> wrote:<br>
>> >> ><br>
>> >> > Hi,<br>
>> >> ><br>
>> >> > for SmallHarbour I've cloned cogvm/blessed and then add security patches from SeasideHosting. See<br>
>> >> > - <a href="https://gitorious.org/~laurentlaffont/cogvm/smallharbour" target="_blank">https://gitorious.org/~laurentlaffont/cogvm/smallharbour</a><br>
>> >> > - <a href="https://gitorious.org/~laurentlaffont/cogvm/smallharbour/commit/7f45e401f8c805021e3ef06e110e3f079fe6ecc3" target="_blank">https://gitorious.org/~laurentlaffont/cogvm/smallharbour/commit/7f45e401f8c805021e3ef06e110e3f079fe6ecc3</a><br>
>> >> ><br>
>> >> > What's the best way to stay synchronized with cogvm/blessed commits ?<br>
>> >><br>
>> >> Fist you need to add blessed as remote repository:<br>
>> >><br>
>> >> git remote add blessed git://<a href="http://gitorious.org/cogvm/blessed.git" target="_blank">gitorious.org/cogvm/blessed.git</a><br>
>> >><br>
>> >> Then you can simply pull changes to your branch:<br>
>> >><br>
>> >> git pull blessed<br>
>> >><br>
>> >> and it will merge changes automatically. (of course if there's no conflicts).<br>
>> >><br>
>> >> And then<br>
>> >><br>
>> >> git push<br>
>> >><br>
>> >> to push updates to your own repository.<br>
>> >><br>
>> >> > Is it interesting to adapt this patch for integration in cogvm/blessed ?<br>
>> >><br>
>> >> Absolutely. All contributions is welcome :)<br>
>> >><br>
>> >> > Is this patch good ?<br>
>> >> ><br>
>> >><br>
>> >> I am a bit out of context. Where i can read a description of what you did?<br>
>> ><br>
>> ><br>
>> ><br>
>> > First the changes are quite small, originally made by Nestyle (I suppose) for SesideHosting.<br>
>> > This introduce the use of environment variables to restrict filesystem and port access. For example we don't want the hosted image to be able to access /etc/passwd or another account files. We don't want that 2 images use the same port.<br>
>> > So this patch read these environment variables:<br>
>> > export SQUEAK_PORT_LO=16400<br>
>> > export SQUEAK_PORT_HI=16407<br>
>> > export SQUEAK_ROOT_DIR="/service/myaccount/files"<br>
>> ><br>
>> > so only port between 16400 and 16407 can be opened, only /service/myaccount/files can be read/written.<br>
>> > Note that in the patch port 25 (SMTP) is always accessible.<br>
>> > This is very specific to SeasideHosting/SmallHarbour, so I don't think the patch should be apply as it is now in cogvm/blessed, but having such functionalities in the VM would be nice IMO.<br>
>> ><br>
>> > The commit is here - quite easy to read: <a href="https://gitorious.org/~laurentlaffont/cogvm/smallharbour/commit/7f45e401f8c805021e3ef06e110e3f079fe6ecc3" target="_blank">https://gitorious.org/~laurentlaffont/cogvm/smallharbour/commit/7f45e401f8c805021e3ef06e110e3f079fe6ecc3</a><br>
>> > Laurent.<br>
>> ><br>
>><br>
>> Wait. First you asking if those can be integrated, and then you saying<br>
>> that its too specific..<br>
>> Do you mean that we should discuss/think about integrating a more<br>
>> general form of this functionality?<br>
><br>
><br>
> Yes. Sorry for confusion :)<br>
> Laurent.<br>
><br>
</div></div>As to me an environment these settings is good enough. For unix-like<br>
systems it is pretty fine.<br>
But for windows, a more common is to use .ini file(s) and store settings there.<br></blockquote><div><br></div><div><br></div><div>What do you think about program arguments ? Like this:</div><div><br></div><div>./cog -port-filter 25,16400:16407 -fs-root /var/images/public/</div>
<div><br></div><div>on Windows</div><div><br></div><div>cog -port-filter 25,16400:16407 -fs-root "C:\Images\Public\"</div><div><br></div><div>with </div><div>-port-filter 25,8080,8081 means "allow only 25, 8080 and 8081"</div>
<div>-port-filter 8080:8090 means "allow ports from 8080 to 8090"</div><div><br></div><div><br></div><div>Laurent</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
>><br>
>> ><br>
>> >><br>
>> >> > Laurent Laffont - @lolgzs<br>
>> >> ><br>
>> >> > Pharo Smalltalk Screencasts: <a href="http://www.pharocasts.com/" target="_blank">http://www.pharocasts.com/</a><br>
>> >> > Blog: <a href="http://magaloma.blogspot.com/" target="_blank">http://magaloma.blogspot.com/</a><br>
>> >> > Developer group: <a href="http://cara74.seasidehosting.st" target="_blank">http://cara74.seasidehosting.st</a><br>
>> >> ><br>
>> >> ><br>
>> >><br>
>> >><br>
>> >><br>
>> >> --<br>
>> >> Best regards,<br>
>> >> Igor Stasenko AKA sig.<br>
>> ><br>
>> ><br>
>> ><br>
>><br>
>><br>
>><br>
>> --<br>
>> Best regards,<br>
>> Igor Stasenko AKA sig.<br>
><br>
><br>
><br>
<br>
<br>
<br>
</div>--<br>
<div><div></div><div class="h5">Best regards,<br>
Igor Stasenko AKA sig.<br>
</div></div></blockquote></div><br>