Date: Tue, 18 Jul 2000 08:02:37 -0500 From: "Simon" <simon@optinet.com> To: "freebsd-isp@FreeBSD.ORG" <freebsd-isp@FreeBSD.ORG> Subject: Re: Secure CGI execution Message-ID: <200007181152.FAA41301@mail.fpsn.net> In-Reply-To: <18810445910.20000718133155@buz.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Gabriel, What exactly is test.cgi? If it's a Perl script and there is no perl interpreter in jailed env, how is it gonna compile? If it's a C ( or any other compiled ) program, then it should work. Besides, why do you want to jail CGI? That will be very inconvenient for your users as they'll have many tools available on FreeBSD missing to them. From my past experience, right ownership/permissions of files/directories + setuid is all you really need to make things secure. -Simon On Tue, 18 Jul 2000 13:31:55 +0200, Gabriel Ambuehl wrote: >Hello, >we're are trying to get the CGI scripts of our users in some kind of >sandbox (mainly a chroot or jail environment). During that effort, I >found the sbox cgi-wrapper (http://stein.cshl.org/WWW/software/sbox) >which would basically do what we need (suid to the owner of the script >and then a chroot to limit the script to the users homedirs). However, >while the wrapper compiles without any problems and can be executed as >regular CGI script (which then return an error that one should specify >a real CGI script to execute) we can't get it to execute any CGI >scripts. If I try to open url/cgi-bin/sbox/test.cgi, Apache states >the well known "Premature End of Scriptheader" message. If I open >usr/test.cgi, everything works as expected... Has anyone got a working >installation of sbox or a similar application under FreeBSD 4? > >Making the whole thing transparent to the users will be a totally >different cup of coffee. I think this is best done with some mod_rewrite >magics. > > > > >Best regards, > Gabriel > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007181152.FAA41301>