| 1 |
RijilV wrote: |
| 2 |
> 2009/6/10 7v5w7go9ub0o |
| 3 |
> <7v5w7go9ub0o-Re5JQEeQqe8AvxtiuMwx3w@××××××××××××.org>: |
| 4 |
>> FWIW, I jail/chroot everything that connects to the net; e.g. |
| 5 |
>> browsers, mail client, tor client, DNS server, nmap, snort, dhcpcd |
| 6 |
>> ..... everything. |
| 7 |
> |
| 8 |
> What are you using to do your chrooting? |
| 9 |
> |
| 10 |
> .r' |
| 11 |
> |
| 12 |
|
| 13 |
A man named Steve Friedl has written much about creating and breaking |
| 14 |
out of chroot jails; I use his program "runchroot". |
| 15 |
|
| 16 |
Here's his home page: |
| 17 |
<http://unixwiz.net/techtips/chroot-practices.html#brkout> |
| 18 |
|
| 19 |
I believe the script can be found in this "registerware" article: "Go |
| 20 |
Directly to Jail. Available on all Linux and Unix systems, chroot jails |
| 21 |
can secure untrusted applications and make trusted ones almost |
| 22 |
impenetrable. Heres how to build them." <http://www.linux-mag.com/id/1230> |
| 23 |
|
| 24 |
FWIW, I run a desktop, and shortly expect to run an SSH server. Some of |
| 25 |
the more important GRSecurity lockdowns break X server, so for a |
| 26 |
desktop user, taking the extra step of jailing servers and other |
| 27 |
net-connected applications seems to make sense - especially given the |
| 28 |
wonderful jail-breaking protections afforded jails by GRSecurity |
| 29 |
(obviously, if the Apache server is running on a separate box without X, |
| 30 |
the full complement of GRS "hardening" would be used :-) : |
| 31 |
|
| 32 |
[*] Chroot jail restrictions |
| 33 |
|
| 34 |
[*] Deny mounts |
| 35 |
[*] Deny double-chroots |
| 36 |
[*] Deny pivot_root in chroot |
| 37 |
[*] Enforce chdir("/") on all chroots |
| 38 |
[*] Deny (f)chmod +s |
| 39 |
[*] Deny fchdir out of chroot |
| 40 |
[*] Deny mknod |
| 41 |
[*] Deny shmat() out of chroot |
| 42 |
[*] Deny access to abstract AF_UNIX sockets out of chroot |
| 43 |
[*] Protect outside processes |
| 44 |
[*] Restrict priority changes |
| 45 |
[*] Deny sysctl writes |
| 46 |
[*] Capability restrictions |
| 47 |
|
| 48 |
Again, the GRS RBAC program works extremely well, and is a powerful |
| 49 |
companion to jails. |
| 50 |
|
| 51 |
HTH |
Archives