1 |
Jan Klod wrote: |
2 |
> Hello, I would like to see some opinions on chrooting - |
3 |
> |
4 |
> 1) how big are possible risks of hardened gentoo system compromise, |
5 |
> if apache is run normally, therefore a need of chrooting? |
6 |
> |
7 |
> 2) suppose I chroot Apache: what chances it still has to harm |
8 |
> something in the outside OS? My knowledge about various system |
9 |
> capabilities, network etc is too little, so enlighten me... And how |
10 |
> big is an Apache chroot? |
11 |
> |
12 |
> And by the way, how big are the risks for sshd and ntpd to open up a |
13 |
> way into the hardened gentoo system? Can that recent ntp glsa be |
14 |
> ignored, if its hardened with memory protections? |
15 |
> |
16 |
> Jan |
17 |
> |
18 |
> |
19 |
|
20 |
FWIW, I jail/chroot everything that connects to the net; e.g. browsers, |
21 |
mail client, tor client, DNS server, nmap, snort, dhcpcd ..... |
22 |
everything. This because GRSecurity offers special protections to jailed |
23 |
applications that don't normally exist, these in addition to specific |
24 |
jail-breaking protections. This is the "openbsd" approach to business - |
25 |
build stout jails. Add a layer of "linux" RBAC MAC controls, and you |
26 |
should be good to go. |
27 |
|
28 |
I can't imagine that chrooting Apache, sshd, ntpd, etc. would harm |
29 |
anything. Don't know how others do it, but I create a separate directory |
30 |
for each application (i.e. individual jails), copy (only) the required |
31 |
executables and libraries into appropriately-named subdirectories within |
32 |
the application directory, then run a wrapper which chroots, drops |
33 |
privileges, and starts up the application (e.g. apache:apache) pointing |
34 |
toward its individual the directory. |
35 |
|
36 |
HTH |