chroot/setuid for lilypond (for LSR)

[Han-Wen Nienhuys]

address@hidden writes:
> Dear developers,
> after some study it appears that the simplest way to run safely Lilypond
> in full mode requires some simple patch to the source. If anybody can
> provide me a source RPM for Fedora Core 3 I'll do it by myself, but it
> would be interesting if the required features could make it into
> Lilypond 2.5 (if they seem reasonable).
> 
> The idea is to have two command line option, --chroot and --setuid, that
> allow to chroot and setuid lily *after* it has been started. By
>
> chroot'ing after startup we avoid all problems related to library
> loading, and by using a noexec-mounted directory it will be impossible
> to execute binaries.
>
> Depending on when lily loads external files (e.g, before actually
> processing the code or during the compilation) it could be even possible
> at that point to chroot into an empty directory, or just set up some
> hard links.

I'm missing why you would need suid, but I'm not sure it will work. In
any case, LilyPond needs to access contents of /usr/share/lilypond, so
you will have to add those to the chroot jail.  Also, I don't know if
FontConfig and the GUILE module system (needed by the backend) can be
run from inside a jail.

> It should be just a matter of adding a couple of lines to handle the two
> new options, but I'd prefer to patch a working source RPM rather than
> building lily from scratch.

There is a RPM spec in the tarball
(make/out/lilypond.fedora.spec). Due to GS issues, building the doc
rpm doesn't work, but building the base program does


-- 

 Han-Wen Nienhuys   |   address@hidden   |   http://www.xs4all.nl/~hanwen