Someone highlighted that this wasn't enough explanation about the SUID
bit to root. Here's more.

sbox is a CGI wrapper. What it does is that, thanks to a rewrite rule,
when you call:
http://www.example.com/cgi-bin/example.sh

it would in fact call:
http://www.example.com/cgi-bin/sbox/example.sh

So, in short, sbox takes over any cgi-bin and is called by Apache intead
of them. Then it performs a chroot where example.sh is, then a chuid to
the user ID that is configured in /etc/sbox.conf.

Because of the chroot, sbox needs to be SUID to root (you need root
privileges to call chroot). But in fact, sbox doesn't run as root for
long. It does only few checkings, then drops privileges. I think it
could be compared to the suExec for Apache (but better, because of the
setlimits call and the chroot).

So yes, sbox is a CGI script that is SUID to root. But no, this isn't a
security issue, because the purpose of SBOX is to increase security by
doing a chroot, then to drop privileges to the user running the original
CGI script (that SBOX will execute).

I hope that helps the understanding of this bug entry.

Thomas



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to