Running jailkit from non-root process

Question

I have a webserver which will frequently spawn a latex interpreter (written in python). This interpreter lives inside a chroot jail made using jailkit so it has to be started as root.

I don't want the server to run as root and I can't setuid the bash script. I could write a setuid c program that calls the script but I'm pretty sure that leads to big security holes.

The best I have come up with so far is running a separate webserver as root whose sole job is spawning interpreter processes.

What is the right way to do this?

Why can't you SUID the bash script? – Aaron Digulla Apr 29 '11 at 10:14 — Aaron Digulla, Apr 29 '11 at 10:14

score 0 · Answer 1 · answered Apr 29 '11 at 10:16

Your best bet is to create a very small script which simply set the environment and calls the latex interpreter and make that script SUID root.

This is best because:

The least amount of time is spent as root
Just a single script needs to be SUID
Small script == smaller chance to do something wrong
BASH is pretty safe to use as root while running a whole web server is not.

Running jailkit from non-root process

1 Answers1