1 |
RijilV wrote: |
2 |
> 2009/6/10 7v5w7go9ub0o |
3 |
> <7v5w7go9ub0o-Re5JQEeQqe8AvxtiuMwx3w@××××××××××××.org>: |
4 |
>> FWIW, I jail/chroot everything that connects to the net; e.g. |
5 |
>> browsers, mail client, tor client, DNS server, nmap, snort, dhcpcd |
6 |
>> ..... everything. |
7 |
> |
8 |
> What are you using to do your chrooting? |
9 |
> |
10 |
> .r' |
11 |
> |
12 |
|
13 |
A man named Steve Friedl has written much about creating and breaking |
14 |
out of chroot jails; I use his program "runchroot". |
15 |
|
16 |
Here's his home page: |
17 |
<http://unixwiz.net/techtips/chroot-practices.html#brkout> |
18 |
|
19 |
I believe the script can be found in this "registerware" article: "Go |
20 |
Directly to Jail. Available on all Linux and Unix systems, chroot jails |
21 |
can secure untrusted applications and make trusted ones almost |
22 |
impenetrable. Heres how to build them." <http://www.linux-mag.com/id/1230> |
23 |
|
24 |
FWIW, I run a desktop, and shortly expect to run an SSH server. Some of |
25 |
the more important GRSecurity lockdowns break X server, so for a |
26 |
desktop user, taking the extra step of jailing servers and other |
27 |
net-connected applications seems to make sense - especially given the |
28 |
wonderful jail-breaking protections afforded jails by GRSecurity |
29 |
(obviously, if the Apache server is running on a separate box without X, |
30 |
the full complement of GRS "hardening" would be used :-) : |
31 |
|
32 |
[*] Chroot jail restrictions |
33 |
|
34 |
[*] Deny mounts |
35 |
[*] Deny double-chroots |
36 |
[*] Deny pivot_root in chroot |
37 |
[*] Enforce chdir("/") on all chroots |
38 |
[*] Deny (f)chmod +s |
39 |
[*] Deny fchdir out of chroot |
40 |
[*] Deny mknod |
41 |
[*] Deny shmat() out of chroot |
42 |
[*] Deny access to abstract AF_UNIX sockets out of chroot |
43 |
[*] Protect outside processes |
44 |
[*] Restrict priority changes |
45 |
[*] Deny sysctl writes |
46 |
[*] Capability restrictions |
47 |
|
48 |
Again, the GRS RBAC program works extremely well, and is a powerful |
49 |
companion to jails. |
50 |
|
51 |
HTH |