From: Andrew Hewus Fresh Subject: Re: Chroot Hotels / Chroot Resorts (as opposed to Jails ) foswiki To: Tom Smyth Cc: OpenBSD Ports Date: Thu, 30 Apr 2026 17:53:40 -0700 On Thu, Apr 30, 2026 at 09:40:12PM +0100, Tom Smyth wrote: > Hi Folks, > > Im trying to move web workloads to perl based application servers... > > Im trying foswiki, with httpd on OpenBSD... > > for the perl functionality any suggestions on how to elegantly import the > necessary directories out of the chroot jail It looks like Fosswiki has FastCGI support built in, I'd probably use that without a chroot. https://foswiki.org/Support/FastCGIEngineContrib If I was feeling extra fancy I'd probably look at adding some pledge and unveil to the .fcgi file, the Engine, or maybe the Constrained ProcManager they use. https://github.com/foswiki/distro/blob/master/FastCGIEngineContrib/bin/foswiki.fcgi https://github.com/foswiki/distro/blob/master/FastCGIEngineContrib/lib/Foswiki/Engine/FastCGI.pm https://github.com/foswiki/distro/blob/master/FastCGIEngineContrib/lib/FCGI/ProcManager/Constrained.pm I haven't looked hard enough to figure out quite how all that is used, but a quick glance looks like you could pretty easily write an Engine that subclasses their FastCGI engine and does all the privilege dropping, pledge, and unveil. I wrote down some notes about httpd's FastCGI support a while back. https://gist.github.com/afresh1/b30e823770f2a38133c579321b6cbb4a You might want to start it as root so it can write its socket somewhere privileged and then drop those privileges. Even longer ago I wrote a proof-of-concept FCGI::ProcManager that would do that. https://gist.github.com/afresh1/558fc0b4dfbeab0fbd59 There are lots of hooks you can use to customize the ProcManager. https://metacpan.org/pod/FCGI::ProcManager l8rZ, -- andrew The 3 great virtues of a programmer: Laziness, Impatience, and Hubris. --Larry Wall