Re: [dev] A simpler static file server than quark

From: Laslo Hunhold <dev_AT_frign.de>
Date: Sun, 26 Jan 2020 10:35:14 +0100

On Sun, 26 Jan 2020 08:59:55 +0100
"Richard Ulmer" <maillists.rulmer_AT_mailbox.org> wrote:

Dear Richard,

> This is exactly what the noroot patch does: Removing chroot(2),
> setgid(2), setuid(2) and setgroups(2). I didn't make up the behaviour
> I described. I'm unable to reproduce the error right now, but it
> occurs occasionally on an Ubuntu system I use. I think the exact
> error is "fork: Resource temporarily unavailable". Maybe the problem
> could be resolved using ulimit, but I haven't tried that yet.

I'm actually thinking about removing the noroot-patch, as it deeply
harms quark's security model and by the time you applied the patch you
can just as well add a sudo or doas rule to exempt quark in certain
ways.

> > It's not much lines of code by itself, but it is not minimalist I
> > think.
> >
> > [...]
> >
> > For port < 1024 you'd still need root or namespace priviledges
> > usually.
> >
> > quark supports GET and HEAD requests and supports common
> > byte-ranges too.
>
> I'm getting the feeling that I offended you. This was not my
> intention. I don't want to discredit quark; it has use cases, which
> cannot be satisfied by the tool I presented. statico is better suited
> for some use cases that I frequently encounter, but that doesn't mean
> it's a replacement for quark.

Take it easy. In regard to statico, what I could add is that you should
never forget the shoulder of giants you are standing on. The program
you pointed to has 43 LOCs, but heavily uses the HTTP-infrastructure
provided by Go, which might introduce some quirks.
Sure, quark has more LOC, but it goes down to the TCP-level, implements
HTTP from scratch and there is fine-grained control of which headers to
accept and which to ignore.
There are discussions and suggestions to strip quark down even further
in regard to virthual hosts and so forth, but I'm still thinking about
that.

Use whatever you want, man, but don't complain when you cut the
security of your webserver and get a problem with that.

With best regards

Laslo
Received on Sun Jan 26 2020 - 10:35:14 CET