Re: RC Bugfix #605868: please unblock sbox-dtc
On 12/17/2010 04:14 AM, Julien Cristau wrote:
> On Mon, Dec 6, 2010 at 01:26:46 +0800, Thomas Goirand wrote:
>
>> On 12/06/2010 01:15 AM, Philipp Kern wrote:
>>> Thomas,
>>>
>>> am Sun, Dec 05, 2010 at 01:26:05AM +0800 hast du folgendes geschrieben:
>>>> * Sets the SUID bit, chown sbox to root.root (Closse: #605868).
>>>
>>> you know, that bug report you opened, it doesn't explain why you need SUID.
>>> And a SUID root binary, called as a cgi... doesn't sound like a great idea to
>>> me.
>>>
>>> Kind regards
>>> Philipp Kern
>>
>> Hi,
>>
>> I thought someone reading what sbox does would understand. Sorry, you
>> are right, I should have explain it fully on the bug report.
>>
>> What sbox does is a chroot for CGI scripts, then a chuid (plus all sorts
>> of setlimits() calls and checks). You can't do that if you aren't root.
>> SBOX really does add some more security, and that SUID bit really is,
>> mandatory, to do what it does.
>>
>> With sbox for example, you can run perl/python/php scripts in a jail in
>> your vhosts (if you put the necessary interpreters in the chroot of
>> course), and still be safe.
>>
> Why do you need your own setuid wrapper around those scripts instead of
> using mod_suexec?
>
> Cheers,
> Julien
SBOX isn't *only* a setuid wrapper, it does a lot more. What's important
is that it is capable of running CGI scripts in a chroot, and also does
a lot of setlimits() calls, so that your CGI scripts can't eat all of
the CPU, RAM, or file descriptors (for example). Please see
/etc/sbox.conf so that you understand what it is capable of.
I have on my laptop (and git) a new version that does even more: it
understands what interpreter to use depending on the type of scripts
called (it looks at the extension). I've successfully ran php, python,
perl and ruby scripts this way, in a chroot, without the possibility
that the scripts "eat" all the RAM. It's very useful. This will be
uploaded to SID after Squeeze is out.
Thomas
Reply to: