Running jailkit from non-root process
I have a webserver which will开发者_Go百科 frequently spawn a latex interpreter (written in python). This interpreter lives inside a chroot jail made using jailkit so it has to be started as root.
I don't want the server to run as root and I can't setuid the bash script. I could write a setuid c program that calls the script but I'm pretty sure that leads to big security holes.
The best I have come up with so far is running a separate webserver as root whose sole job is spawning interpreter processes.
What is the right way to do this?
Your best bet is to create a very small script which simply set the environment and calls the latex interpreter and make that script SUID root.
This is best because:
- The least amount of time is spent as root
- Just a single script needs to be SUID
- Small script == smaller chance to do something wrong
- BASH is pretty safe to use as root while running a whole web server is not.
精彩评论