Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news.szaf.org!news.gnuher.de!rz.uni-karlsruhe.de!feed.news.schlund.de!schlund.de!news.online.de!not-for-mail From: Bernd Paysan Newsgroups: comp.lang.forth Subject: Re: WWW-safe Forth? Date: Sat, 06 Jul 2013 14:42:23 +0200 Organization: 1&1 Internet AG Lines: 36 Message-ID: References: <7x7gh4bv69.fsf@ruckus.brouhaha.com> NNTP-Posting-Host: p4ffb9788.dip0.t-ipconnect.de Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Trace: online.de 1373114543 15217 79.251.151.136 (6 Jul 2013 12:42:23 GMT) X-Complaints-To: abuse@einsundeins.com NNTP-Posting-Date: Sat, 6 Jul 2013 12:42:23 +0000 (UTC) User-Agent: KNode/4.10.3 Xref: csiph.com comp.lang.forth:24199 David Meyer wrote: > Is there a general solution for setting up a sandbox for an arbitrary > program called from a CGI script running on a Linux+Apache server? The traditional sandboxing in Unix is done with chroot. The main concern with chroot is that you need root to do that - this usually means you first need more privileges to then have less; IMHO this is a very severe design flaw. Dropping privileges should not require having additional ones in the first place. There are other ways now like seccomp, secomp-bpf, SELinux (requires administrator to set up), and the AppArmor team is also working on a sandboxing solution... Read more here: https://www.cr0.org/paper/jt-ce-sid_linux.pdf Their conclusion is that Linux has no real sandboxing solution. seccomp is only made for computing (it *is* "real", but it is not really usable, since the privileged helper thread can't have memory which is read-write for itself, but read-only for the untrusted thread), seccomp-bpf allows to compile the filter for kernel calls into the kernel itself; it is not a "real sandbox," but it limits the exposure. It works since kernel 3.5, and is relatively easy to use, but you need to put it into your program, so it doesn't work on "arbitrary programs": http://outflux.net/teach-seccomp/ The four-level privilege architecture of x86 would allow to implement a real sandbox, by using level 1 or 2 for the sandbox supervisor, and using a call gate to this level for the kernel interrupt. This supervisor then would have private memory (mapped into the same page table, but with restricted write access). -- Bernd Paysan "If you want it done right, you have to do it yourself" http://bernd-paysan.de/