On Thu, Apr 30, 2026 at 09:40:12PM +0100, Tom Smyth wrote:
> Hi Folks,
> 
> Im trying to  move web workloads to perl based application servers...
> 
> Im trying foswiki, with  httpd on OpenBSD...
> 
> for the perl functionality any suggestions on how to elegantly import the
> necessary directories out of the chroot jail

It looks like Fosswiki has FastCGI support built in, I'd probably use
that without a chroot.  

https://foswiki.org/Support/FastCGIEngineContrib

If I was feeling extra fancy I'd probably look at adding some pledge and
unveil to the .fcgi file, the Engine, or maybe the Constrained
ProcManager they use.

https://github.com/foswiki/distro/blob/master/FastCGIEngineContrib/bin/foswiki.fcgi

https://github.com/foswiki/distro/blob/master/FastCGIEngineContrib/lib/Foswiki/Engine/FastCGI.pm

https://github.com/foswiki/distro/blob/master/FastCGIEngineContrib/lib/FCGI/ProcManager/Constrained.pm

I haven't looked hard enough to figure out quite how all that is used,
but a quick glance looks like you could pretty easily write an Engine
that subclasses their FastCGI engine and does all the privilege
dropping, pledge, and unveil.


I wrote down some notes about httpd's FastCGI support a while back.

https://gist.github.com/afresh1/b30e823770f2a38133c579321b6cbb4a

You might want to start it as root so it can write its socket somewhere
privileged and then drop those privileges.  Even longer ago I wrote a
proof-of-concept FCGI::ProcManager that would do that.

https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59


There are lots of hooks you can use to customize the ProcManager.

https://metacpan.org/pod/FCGI::ProcManager

l8rZ,
-- 
andrew

The 3 great virtues of a programmer: Laziness, Impatience, and Hubris.
                      --Larry Wall