|
Posted by a on 01/19/06 18:39
>
> If your process contains arbitrary user-defined functionality, there's
> nothing you can do to define a sandbox for it. Arbitrary user-defined
> functionality may include switching to the superuser mode (e.g., su on
> Unix), which renders any sandbox meaningless.
>
I don't know how things work on Unix, but at least on Windows I think there
is a solution. Instead of calling exec to run the process that does the
actual work (P1), I create a thin executable (P2) that runs my process using
CreateProcessAsUser. This will run a process in the context of a specific
Windows user and which can be different from the user that is calling it.
Then in my php script I use exec to start P2, which will start P1 in a safe
context, assuming that the user in whose context is running has the
appropriate rights on the server.
I still have to try it, but it seems like a safe solution to me.
A
[Back to original message]
|