Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 17473 invoked by uid 500); 3 Dec 2002 02:37:59 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 17454 invoked from network); 3 Dec 2002 02:37:58 -0000 Received: from mail.cscoms.net (HELO csmail.cscoms.com) (202.183.255.13) by daedalus.apache.org with SMTP; 3 Dec 2002 02:37:58 -0000 Received: from cscoms.net (alain [202.183.160.250]) by csmail.cscoms.com (8.12.3/8.12.3) with ESMTP id gB32c4p8066588 for ; Tue, 3 Dec 2002 09:38:05 +0700 (ICT) Received: (from alain@localhost) by cscoms.net (8.11.4/8.9.3) id gB32c3G00978 for users@httpd.apache.org; Tue, 3 Dec 2002 09:38:03 +0700 Date: Tue, 3 Dec 2002 09:38:03 +0700 From: Alain Fauconnet To: users@httpd.apache.org Message-ID: <20021203093803.B839@cscoms.net> References: <200212021858.55488.davidegiunchi@libero.it> <20021202192250.GD10276@mobile.onyxsys.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20021202192250.GD10276@mobile.onyxsys.net>; from chuck@onyxsys.net on Mon, Dec 02, 2002 at 01:22:50PM -0600 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Re: chrooted cgi-bin Just my 0.02 Euro: > As for file space is concerned, I can setup a chroot_usr directory that I hard > link to the users home directory as usr. So when they reference /usr/bin/perl it will > work (and I won't need a bunch of copies of perl). Hard links or loopback filesystems mounts. I use the latter because I find them more transparent and possibly more robust. > > Now, my question is this; how much overhead were you talking about for the chrooted > system calls? I was under the assumption that it just took up more memory (to > exec another shell). Exec another shell? Pardon? This is not needed at all. The chroot(2) system call just does that: changing the root location. It doesn't fork a new shell. Sbox calls chroot(2) just before exec'ing the CGI script, so there's no extra process overhead. I can't comment about the overhead of chroot itself, but my experience on a quite busy web server is that the load hasn't significantly increased after I began using Sbox. > > And then for php? woudn't you like to chroot php too? so you will need to > > compile php too, so other space is needed, minimum other 10Mb. Sbox only applies to CGI interface, which PHP normally isn't unless you compile it this way (and break a lot of PHP code). PHP has its 'safe mode' the achieve roughly the same effect (I *do* understand that there are a lot of differences). > > Second sbox is a program of 1997, no other's upgrade since now, it works but > > do you trust it for the future? i will use it only if i've a good C and > > suexec.c internal knowledge. Good point, although the design of Sbox is simple and robust enough so that no updates are really needed. The CGI interface is not likely to change. Sbox's main gotcha is its file size resource limitation. It will limit the size of its own log file and Apache's log files, which makes it for an easy DoS attack or problems for lazy sysadmins not rotating log files! Greets, _Alain_ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org