| 1 |
Jan Klod wrote: |
| 2 |
> Hello, I would like to see some opinions on chrooting - |
| 3 |
> |
| 4 |
> 1) how big are possible risks of hardened gentoo system compromise, |
| 5 |
> if apache is run normally, therefore a need of chrooting? |
| 6 |
> |
| 7 |
> 2) suppose I chroot Apache: what chances it still has to harm |
| 8 |
> something in the outside OS? My knowledge about various system |
| 9 |
> capabilities, network etc is too little, so enlighten me... And how |
| 10 |
> big is an Apache chroot? |
| 11 |
> |
| 12 |
> And by the way, how big are the risks for sshd and ntpd to open up a |
| 13 |
> way into the hardened gentoo system? Can that recent ntp glsa be |
| 14 |
> ignored, if its hardened with memory protections? |
| 15 |
> |
| 16 |
> Jan |
| 17 |
> |
| 18 |
> |
| 19 |
|
| 20 |
FWIW, I jail/chroot everything that connects to the net; e.g. browsers, |
| 21 |
mail client, tor client, DNS server, nmap, snort, dhcpcd ..... |
| 22 |
everything. This because GRSecurity offers special protections to jailed |
| 23 |
applications that don't normally exist, these in addition to specific |
| 24 |
jail-breaking protections. This is the "openbsd" approach to business - |
| 25 |
build stout jails. Add a layer of "linux" RBAC MAC controls, and you |
| 26 |
should be good to go. |
| 27 |
|
| 28 |
I can't imagine that chrooting Apache, sshd, ntpd, etc. would harm |
| 29 |
anything. Don't know how others do it, but I create a separate directory |
| 30 |
for each application (i.e. individual jails), copy (only) the required |
| 31 |
executables and libraries into appropriately-named subdirectories within |
| 32 |
the application directory, then run a wrapper which chroots, drops |
| 33 |
privileges, and starts up the application (e.g. apache:apache) pointing |
| 34 |
toward its individual the directory. |
| 35 |
|
| 36 |
HTH |
Archives