On Mon, Dec 6, 2010 at 01:26:46 +0800, Thomas Goirand wrote: > On 12/06/2010 01:15 AM, Philipp Kern wrote: > > Thomas, > > > > am Sun, Dec 05, 2010 at 01:26:05AM +0800 hast du folgendes geschrieben: > >> * Sets the SUID bit, chown sbox to root.root (Closse: #605868). > > > > you know, that bug report you opened, it doesn't explain why you need SUID. > > And a SUID root binary, called as a cgi... doesn't sound like a great idea to > > me. > > > > Kind regards > > Philipp Kern > > Hi, > > I thought someone reading what sbox does would understand. Sorry, you > are right, I should have explain it fully on the bug report. > > What sbox does is a chroot for CGI scripts, then a chuid (plus all sorts > of setlimits() calls and checks). You can't do that if you aren't root. > SBOX really does add some more security, and that SUID bit really is, > mandatory, to do what it does. > > With sbox for example, you can run perl/python/php scripts in a jail in > your vhosts (if you put the necessary interpreters in the chroot of > course), and still be safe. > Why do you need your own setuid wrapper around those scripts instead of using mod_suexec? Cheers, Julien
Attachment:
signature.asc
Description: Digital signature