开发者

Running jailkit from non-root process

I have a webserver which will开发者_Go百科 frequently spawn a latex interpreter (written in python). This interpreter lives inside a chroot jail made using jailkit so it has to be started as root.

I don't want the server to run as root and I can't setuid the bash script. I could write a setuid c program that calls the script but I'm pretty sure that leads to big security holes.

The best I have come up with so far is running a separate webserver as root whose sole job is spawning interpreter processes.

What is the right way to do this?


Your best bet is to create a very small script which simply set the environment and calls the latex interpreter and make that script SUID root.

This is best because:

  • The least amount of time is spent as root
  • Just a single script needs to be SUID
  • Small script == smaller chance to do something wrong
  • BASH is pretty safe to use as root while running a whole web server is not.
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜