[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Chrooted services
* Volker Kuhlmann; <hidden@xxxxxxxxxxxxxxx> on 13 Dec, 2003 wrote:
1) Create /etc/sysconfig/chroot.d directory and store configuration
files for services to be chrooted.
Please no, only one config file in /etc, copy that if needed. On SuSE
8.2 several services run chrooted already on demand, e.g. postfix and
named, and SuSEconfig/rcservice maintain the chroot env automatically.
Have a look at their mechanisms first, they seem pretty good.
Too late ( though you never know) yet my modified init scripts do the
same they prepare the chroot environment and then start the service so
no need to manually prepare the chrooted directory structure
2) Create chroot-maker file which will basically read the
/etc/sysconfig/chroot.d/FILENAME and create the chrooted environment
If chroot.d/FILENAME contains a list of files needed in the chroot env
for each service, that would be a good general approach.
Thats what I have done so far
The tricky bit is to work out which files are needed. I tried with jail
and sshd once but couldn't get it working.
well I got snmpd working in chroot now (except the agents parts which I
have not played with yet.) but the thing so far works with no problem
I have gotten the ssh also in chrooted, the part I could not decide is
how do I want to check the users authentication if I want to trust the
/etc/passwd file I have to find a way to get the legitimate users in
/chroot/sshd/etc/passwd or find another way of getting the users
authenticated somehow as this is the part that is left.
I do not think now getting squid or apache to be involved in the chroot
game too difficult ( hope I am not mistaken )
The question is how many sockets can I create for syslogd to listen
somewhere in my memory 19 is the magic number. If so is it better to
change to syslog-ng or something else ?
Desperately seeking my brain which is lost in the language dilemma :-(
Mfg. von Stuttgart
Unofficial SuSE FAQ Maintainer Please reply to the list;
http://susefaq.sf.net Please don't CC me.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here