Re: chroot/setuid for lilypond (for LSR)

[Sebastiano Vigna]

Dear developers,
I think I found a reasonable solution.

I'm including a patch for main.cc against the current stable release
(2.4.4). It adds new options

--set-user ('u')
--set-group ('g')
--chroot ('r')
--chdir ('d')

that allow one to first chroot, then setuid/setgrp, and finally chdir.

Using these options, and mounting a file as a loop filesystem with
noexec/nodev lily can be run safely without safe mode. It cannot
generate too large files (the loop device has fixed size) and it cannot
start any executable file (because of the noexec flag). The setuid()
guarantees that it cannot escape from the jail either. Standard tools
can limit the amount of other resources (e.g., CPU) lily can use. The
chdir part is actually necessary, as after a chroot your current
directory is still the old one.

The only stuff that goes into the jail is a copy of the scripts and of
the fonts (a few dozen Mi). 

I think this is a satisfactory solution for people wanting to run lily
on a server, with greater freedom than that provided by safe mode.

I'm not completely familiar with the programming style used in Lilypond.
I tried to conform indentation and style to what I saw in the sources.

I hope you find all this sensible and you will incorporate these
changes. In that case, I am willing to write the relative part of the
manual (or maybe a section about jailing lily).

Of course, presently the process of choosing what goes into the jail is
a matter of trying and strace'ing... but It Works(TM). 8^)
-- 
Ciao,

                                        seba

main.cc-patch
Description: Text document