1.8 KiB
A simplistic and secure Gopher server
Khan is a gopher server supporting chroot meant to be run on inetd.
Khan design is relying on inetd, the idea is to delegate the network to a daemon which proved doing it correctly, so khan takes its request from stdin and outputs the result to stdout. This also makes it very easy to write tests for it.
Khan is perfectly secure if run on OpenBSD, using unveil()
the filesystem access is restricted to one directory (default to
/var/gopher/
) and with pledge()
only systems calls related to
reading files and reading input/output are allowed.
In addition, it's possible to run khan into a chroot and drop privileges to a dedicated user on every system on which Khan compiles.
Installing
For some systems, the library libsd
may be required.
git clone https://tildegit.org/solene/khan.git
cd khan
make
sudo make install
Running tests
Khan comes with a test suite you can use with make test
.
Command line parameters
Khan has a few parameters you can use in inetd configuration.
-d PATH
: usePATH
as the data directory to serve files from. Default is/var/gopher
-u username
: enable chroot to the data directory and drop privileges tousername
.
How to configure Khan using inetd
Create directory /var/gopher/
, files will be served from there,
or use -d
parameter to choose another path.
Add this line to inetd.conf:
70 stream tcp nowait gopher_user /usr/local/bin/khan khan
On OpenBSD, enable and start inetd:
# rcctl enable inetd
# rcctl start inetd
References
Khan is based on Vger source code. I didn't want to add a lot of conditionals instructions to make Vger support both gemini and gopher protocol.