Den 15. des. 2016 21:13, skrev Tommaso Cucinotta:
About chroot-ing, albeit seems doable to copy what a converter needs
in the restricted root, eg, ldd gives you what dynlibs are needed,
the problem stays with additional data the program might need, plus
you need additional privileges to chroot(), overall making the chroot()
way quite impractical [ we don't want to have any suid exe in lyx, do
we :-) ? ]
A SUID lyx might be dangerous indeed. If necessary, the way to do it is
a small SUID utility that creates a sandbox. ( bind-mount readonly /bin,
/lib, possibly /home and whatever else we need in the tmp directory,
chroot, drop privileges & launch the converter.)
Helge Hafting
