AsiaBSDCon 2017 Secure CGI

This isn't possible due to the constraints of Capsicum: once we close our file descriptors (possibly required to get the web server to release the request), we can't re-open to have a child process re-initialised. Moreover, if our child is going to work with new descriptors, we can't do that either.

Access to global name spaces, such as file system or IPC name spaces, is prevented. … Future process descendants created with fork(2) or pdfork(2) will be placed in capability mode from inception.

Possible solutions:

• open all possible resources prior to sandboxing, instead of just those germane to the request
• use cron(8) to run maintenance scripts outside of server environment