[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RC Bugfix #605868: please unblock sbox-dtc

----- Original message -----
> Hi,
> 
> On Freitag, 17. Dezember 2010, Thomas Goirand wrote:
> > SBOX isn't *only* a setuid wrapper, it does a lot more. What's
> > important is that it is capable of running CGI scripts in a chroot,
> > and also does a lot of setlimits() calls, so that your CGI scripts
> > can't eat all of the CPU, RAM, or file descriptors (for example).
> > Please see /etc/sbox.conf so that you understand what it is capable of.
> > 
> > I have on my laptop (and git) a new version that does even more: it
> > understands what interpreter to use depending on the type of scripts
> > called (it looks at the extension). I've successfully ran php, python,
> > perl and ruby scripts this way, in a chroot, without the possibility
> > that the scripts "eat" all the RAM. It's very useful. This will be
> > uploaded to SID after Squeeze is out.
> 
> and why don't you use /etc/security/limits.conf for this?
> 
> 
> cheers,
>     Holger

Because it would do it for the full of the domain,
when I might want to do it just for cgi-bin, or even
only some of the cgi-bin in certain folders if I
want to. Also, sbox is a convenient interface.

Thomas
Reply to: