From owner-freebsd-isp Tue Jul 18 4:59:21 2000 Delivered-To: freebsd-isp@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id E32E237B5C8 for ; Tue, 18 Jul 2000 04:59:18 -0700 (PDT) (envelope-from simon@optinet.com) Received: from station1 (adsl-151-202-97-90.bellatlantic.net [151.202.97.90]) by mail.fpsn.net (8.9.3/8.9.3) with SMTP id FAA41301 for ; Tue, 18 Jul 2000 05:52:59 -0600 (MDT) (envelope-from simon@optinet.com) Message-Id: <200007181152.FAA41301@mail.fpsn.net> From: "Simon" To: "freebsd-isp@FreeBSD.ORG" Date: Tue, 18 Jul 2000 08:02:37 -0500 Reply-To: "Simon" X-Mailer: PMMail 2000 Professional (2.10.2010) For Windows 2000 (5.0.2195) In-Reply-To: <18810445910.20000718133155@buz.ch> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: Secure CGI execution Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gabriel, What exactly is test.cgi? If it's a Perl script and there is no perl interpreter in jailed env, how is it gonna compile? If it's a C ( or any other compiled ) program, then it should work. Besides, why do you want to jail CGI? That will be very inconvenient for your users as they'll have many tools available on FreeBSD missing to them. From my past experience, right ownership/permissions of files/directories + setuid is all you really need to make things secure. -Simon On Tue, 18 Jul 2000 13:31:55 +0200, Gabriel Ambuehl wrote: >Hello, >we're are trying to get the CGI scripts of our users in some kind of >sandbox (mainly a chroot or jail environment). During that effort, I >found the sbox cgi-wrapper (http://stein.cshl.org/WWW/software/sbox) >which would basically do what we need (suid to the owner of the script >and then a chroot to limit the script to the users homedirs). However, >while the wrapper compiles without any problems and can be executed as >regular CGI script (which then return an error that one should specify >a real CGI script to execute) we can't get it to execute any CGI >scripts. If I try to open url/cgi-bin/sbox/test.cgi, Apache states >the well known "Premature End of Scriptheader" message. If I open >usr/test.cgi, everything works as expected... Has anyone got a working >installation of sbox or a similar application under FreeBSD 4? > >Making the whole thing transparent to the users will be a totally >different cup of coffee. I think this is best done with some mod_rewrite >magics. > > > > >Best regards, > Gabriel > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message