On 12/17/2010 04:14 AM, Julien Cristau wrote: > On Mon, Dec 6, 2010 at 01:26:46 +0800, Thomas Goirand wrote: > >> On 12/06/2010 01:15 AM, Philipp Kern wrote: >>> Thomas, >>> >>> am Sun, Dec 05, 2010 at 01:26:05AM +0800 hast du folgendes geschrieben: >>>> * Sets the SUID bit, chown sbox to root.root (Closse: #605868). >>> >>> you know, that bug report you opened, it doesn't explain why you need SUID. >>> And a SUID root binary, called as a cgi... doesn't sound like a great idea >>> to >>> me. >>> >>> Kind regards >>> Philipp Kern >> >> Hi, >> >> I thought someone reading what sbox does would understand. Sorry, you >> are right, I should have explain it fully on the bug report. >> >> What sbox does is a chroot for CGI scripts, then a chuid (plus all sorts >> of setlimits() calls and checks). You can't do that if you aren't root. >> SBOX really does add some more security, and that SUID bit really is, >> mandatory, to do what it does. >> >> With sbox for example, you can run perl/python/php scripts in a jail in >> your vhosts (if you put the necessary interpreters in the chroot of >> course), and still be safe. >> > Why do you need your own setuid wrapper around those scripts instead of > using mod_suexec? > > Cheers, > Julien
SBOX isn't *only* a setuid wrapper, it does a lot more. What's important is that it is capable of running CGI scripts in a chroot, and also does a lot of setlimits() calls, so that your CGI scripts can't eat all of the CPU, RAM, or file descriptors (for example). Please see /etc/sbox.conf so that you understand what it is capable of. I have on my laptop (and git) a new version that does even more: it understands what interpreter to use depending on the type of scripts called (it looks at the extension). I've successfully ran php, python, perl and ruby scripts this way, in a chroot, without the possibility that the scripts "eat" all the RAM. It's very useful. This will be uploaded to SID after Squeeze is out. Thomas -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d0ac288.4080...@debian.org