diff --git a/sandboxd/server/server.go b/sandboxd/server/server.go index 930c30e..6421ac1 100644 --- a/sandboxd/server/server.go +++ b/sandboxd/server/server.go @@ -465,7 +465,7 @@ func (s *Server) requireRoot(next http.HandlerFunc) http.HandlerFunc { } // resolveScope matches the bearer token to root ("") or a tenant name. With -// no api token and no tenants the node-level endpoints stay open, as before. +// no api token and no tenants the node-level endpoints stay open. func (s *Server) resolveScope(r *http.Request) (string, bool) { if s.apiToken == "" && len(s.tenants) == 0 { return "", true diff --git a/sdk/openai/cocoonsandbox_openai/adapter.py b/sdk/openai/cocoonsandbox_openai/adapter.py index 7a6edab..ab6b493 100644 --- a/sdk/openai/cocoonsandbox_openai/adapter.py +++ b/sdk/openai/cocoonsandbox_openai/adapter.py @@ -126,8 +126,6 @@ def _sandbox(self, timeout: float | None = None) -> Sandbox: return Sandbox(client=client, id=s.sandbox_id, token=s.sandbox_token, owner=s.owner or s.addr) def _abs(self, path: Path | str) -> Path: - # The SDK hands paths as str or Path; a relative one roots at the - # manifest workspace. path = Path(path) if path.is_absolute(): return path diff --git a/silkd/src/sysutil.rs b/silkd/src/sysutil.rs index 62101ac..a58f1da 100644 --- a/silkd/src/sysutil.rs +++ b/silkd/src/sysutil.rs @@ -101,6 +101,8 @@ fn lookup_user(user: &str) -> Result<(u32, u32, String), String> { if pw.is_null() { return Err(format!("unknown user {user:?}")); } + // SAFETY: pw is non-null (checked) and, with NSS_LOCK still held, points to + // a valid passwd whose pw_dir is a NUL-terminated string it owns. let pw = unsafe { &*pw }; let home = unsafe { std::ffi::CStr::from_ptr(pw.pw_dir) } .to_string_lossy()