Re: lilypond via web interface: security considerations

[Alex]

Mike Blackstock wrote:
> Install Lilypond in its own chroot jail using Olivier Sessink's
> jailkit available
> at http://olivier.sessink.nl/jailkit/ A 'chroot jail' means putting Lilypond on
> its own filesystem so that nefarious activity - such as deleting
> arbitrary files -
> will be limited to the Lilypond file system. Furthermore, you just limit
> the number of utilities you put in the /bin directories; if you don't
> have the 'rm'
> command in there, then it can't be run, obviously.
>
> This, and other measures, will give you a fairly secure system, if it's your
> own server system and you have control over it. If it's a public system, I doubt
> they'll let you do any of this, unless it's one of the VPS ('virtual
> personal server')
> systems out there. These will run you around $50 a month, and you get your
> own root-accessible system that you can pretty much do what you want with.
> The guy I'm gonna use for this tells me I can do pretty much anything, short
> of recompiling the kernel ;)
>
> Hope this helps - I did it myself last year so fire away if you have
> any questions
> after searching the archives.
>   
Hi Mike,
thanks for your helpful input. I'm familiar with chroot jails but 
haven't implemented one before. Not seen jailkit before - thanks for that.

I've had a look through the devel and user archives at security 
mentions. I found out about the safe option but need to dig further, and 
do some reading etc.

Given my experience at coding around lilypond (i.e. none), I'm not the 
ideal person to be looking at effecting safe mode, at least, not solo. 
If anyone with more experience is willing to guide a little, I'm willing 
to have a look at it (I mean, in the context of actually trying to make 
changes acceptable to code base proper).

Anyway, will have a look in the archives again...

thanks!
lex