| 1 |
Hi, |
| 2 |
I'm no expert but since you ask for opinions, here are some of mine :) |
| 3 |
(Please, anyone, correct me, where I'm wrong.) |
| 4 |
|
| 5 |
|
| 6 |
> 2) suppose I chroot Apache: what chances it still has to harm something in the |
| 7 |
> outside OS? My knowledge about various system capabilities, network etc is |
| 8 |
> too little, so enlighten me... And how big is an Apache chroot? |
| 9 |
|
| 10 |
Starting with the last question - this, to my knowledge, seems to be |
| 11 |
irrelevant. Chrooting (at least the simple cases I know and use) does |
| 12 |
not require any additional or dedicated disk space. It is, in its |
| 13 |
basic nature, an operation of changing the environment so that it |
| 14 |
seems as if some chosen path (say /usr/chroot) was actually the root |
| 15 |
(/) path. And as such, it is visible to all the programs run in this |
| 16 |
env. |
| 17 |
I'm not sure I understand the first part of the question - do you |
| 18 |
mean, "what chances" of: |
| 19 |
1) the chroot itself harming your OS, |
| 20 |
2) you harming your OS by possible administrative mistakes - chroot confusions, |
| 21 |
or |
| 22 |
3) a potential attacker harming your OS after having compromised the Apache? |
| 23 |
|
| 24 |
All of these are _some_ threats. If I were to try and order them |
| 25 |
according to probabilities of mishaps, it'd be 2-1-3. That's assuming |
| 26 |
you know not-too-much of how the system is structured. But it all |
| 27 |
depends on really many, many, (...) things. For instance, if you just |
| 28 |
hang on to some tutorial, then any of the first two is the more |
| 29 |
possible, the more you decide to do your own way. But generally, I'd |
| 30 |
bet the first is far less probable than 2, while both are quite |
| 31 |
unlikely once you understand the idea of chroot and be careful to keep |
| 32 |
it in mind at all times. |
| 33 |
Still, I must say I know no details of "typical" Apache chroot |
| 34 |
scenarios. As far,as I can imagine, there shouldn't be a place for |
| 35 |
many tricky parts of it. But I'd be pleased to hear someone more |
| 36 |
experienced in these matters. |
| 37 |
The no. 3 is probably by far the least probable, as, firstly - the |
| 38 |
chance of a random, small, non-production http server on the web being |
| 39 |
attacked is very little. That is, the_http_server_itself. I believe it |
| 40 |
is a few times more likely for a _box_ being attacked in other ways, |
| 41 |
just because it showed itself to the web (running a http server), |
| 42 |
rather than the http server itself being targeted against. And |
| 43 |
secondly, once the Apache server is chrooted, the probability of the |
| 44 |
system being harmed in _direct_ consequence of the fact that http got |
| 45 |
compromised is greatly lessened thanks to chroot. Mind the "direct" |
| 46 |
though, as it refers to the previous comment. |
| 47 |
|
| 48 |
> |
| 49 |
> And by the way, how big are the risks for sshd and ntpd to open up a way into |
| 50 |
> the hardened gentoo system? Can that recent ntp glsa be ignored, if its |
| 51 |
> hardened with memory protections? |
| 52 |
|
| 53 |
At this point, again, I have to admit my ignorance, as I don't know in |
| 54 |
what ways sshd, ntpd or any-d at all is actually hardened in h-g. Yet |
| 55 |
I can just bet, that no matter how brilliant ideas of the h-g team are |
| 56 |
brought into effect, potential ssh access being the most looked for by |
| 57 |
the attackers, will be the one that, once gained, would pose the |
| 58 |
greatest threat to the system. (NOW I get to be yelled at ;D) |
| 59 |
I'm not saying it is easy to break into - certainly, in its |
| 60 |
architecture, it isn't! I just mean that, in its nature, it can expose |
| 61 |
the weakest points of your configuration and provide the most |
| 62 |
convenient way of accessing the box, once compromised. Just keep this |
| 63 |
in mind. |
| 64 |
|
| 65 |
Ok, as I probably have made a fool (and ignorant) of myself anyway by |
| 66 |
now, I'll add just one more stupid sentence: I haven't read the glsa |
| 67 |
you refer to, but I would bet there would be many easier ways for an |
| 68 |
attacker to get into a newly-and-n00bly setup server than compromising |
| 69 |
ntpd. |
| 70 |
|
| 71 |
Done. Now I get the laughs, please... |
Archives