Re: RC Bugfix #605868: please unblock sbox-dtc

To: Philipp Kern <pkern@debian.org>
Cc: Debian Release <debian-release@lists.debian.org>
Subject: Re: RC Bugfix #605868: please unblock sbox-dtc
From: Thomas Goirand <zigo@debian.org>
Date: Mon, 06 Dec 2010 01:26:46 +0800
Message-id: <[🔎] 4CFBCB56.2040504@debian.org>
In-reply-to: <[🔎] 20101205171516.GA529@thrall.0x539.de>
References: <[🔎] 4CFA79AD.2060001@debian.org> <[🔎] 20101205171516.GA529@thrall.0x539.de>

On 12/06/2010 01:15 AM, Philipp Kern wrote:
> Thomas,
> 
> am Sun, Dec 05, 2010 at 01:26:05AM +0800 hast du folgendes geschrieben:
>> * Sets the SUID bit, chown sbox to root.root (Closse: #605868).
> 
> you know, that bug report you opened, it doesn't explain why you need SUID.
> And a SUID root binary, called as a cgi... doesn't sound like a great idea to
> me.
> 
> Kind regards
> Philipp Kern

Hi,

I thought someone reading what sbox does would understand. Sorry, you
are right, I should have explain it fully on the bug report.

What sbox does is a chroot for CGI scripts, then a chuid (plus all sorts
of setlimits() calls and checks). You can't do that if you aren't root.
SBOX really does add some more security, and that SUID bit really is,
mandatory, to do what it does.

With sbox for example, you can run perl/python/php scripts in a jail in
your vhosts (if you put the necessary interpreters in the chroot of
course), and still be safe.

I hope that explains better.

Thomas

Reply to:

Follow-Ups:
- Re: RC Bugfix #605868: please unblock sbox-dtc
  - From: Julien Cristau <jcristau@debian.org>

References:
- RC Bugfix #605868: please unblock sbox-dtc
  - From: Thomas Goirand <zigo@debian.org>
- Re: RC Bugfix #605868: please unblock sbox-dtc
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: RC Bugfix #605868: please unblock sbox-dtc
Next by Date: Re: lack of gnome on squeeze CD #1
Previous by thread: Re: RC Bugfix #605868: please unblock sbox-dtc
Next by thread: Re: RC Bugfix #605868: please unblock sbox-dtc
Index(es):
- Date
- Thread