[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Chrooted services

To: Suse-Security <suse-security@xxxxxxxx>
Subject: Re: [suse-security] Chrooted services
From: Togan Muftuoglu <toganm@xxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 13 Dec 2003 00:14:57 +0100
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Sat, 13 Dec 2003 00:15:25 +0100
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <20031212225117.GC4315@xxxxxxxxxxxxxxx>
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mail-followup-to: Suse-Security <suse-security@xxxxxxxx>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <20031211193045.GF213@xxxxxxxxxxxx> <20031212022648.GC6659@xxxxxxxxxxxxxxx> <20031212141311.GM213@xxxxxxxxxxxx> <20031212225117.GC4315@xxxxxxxxxxxxxxx>

* Volker Kuhlmann; <hidden@xxxxxxxxxxxxxxx> on 13 Dec, 2003 wrote:

1) Create /etc/sysconfig/chroot.d  directory and store configuration
files for services to be chrooted.


Please no, only one config file in /etc, copy that if needed. On SuSE
8.2 several services run chrooted already on demand, e.g. postfix and
named, and SuSEconfig/rcservice maintain the chroot env automatically.
Have a look at their mechanisms first, they seem pretty good.


Too late ( though you never know) yet my modified init scripts do the
same they prepare the chroot environment and then start the service so
no need to manually  prepare the chrooted directory structure

2) Create chroot-maker file which will basically read the
/etc/sysconfig/chroot.d/FILENAME and create the chrooted environment


If chroot.d/FILENAME contains a list of files needed in the chroot env
for each service, that would be a good general approach.


Thats what I have done so far


The tricky bit is to work out which files are needed. I tried with jail
and sshd once but couldn't get it working.


well I got snmpd working in chroot now (except the agents parts which I
have not played with yet.) but the thing so far works with no problem

I have gotten the ssh also in chrooted, the part I could not decide is
how do I want to check the users authentication if I want to trust the
/etc/passwd file I have to find a way to get the legitimate users in
/chroot/sshd/etc/passwd or find another way of getting the users
authenticated somehow as this is the part that is left.

I do not think now getting squid or apache to be involved in the chroot
game too difficult ( hope I am not mistaken )

The question is how many sockets can I create for syslogd to listen
somewhere in my memory 19 is the magic number. If so is it better to
change to syslog-ng or something else ?

Desperately seeking my brain which is lost in the language dilemma :-(


Mfg. von Stuttgart
--

Togan Muftuoglu
Unofficial SuSE FAQ Maintainer		Please reply to the list;
http://susefaq.sf.net			Please don't CC me.



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

References:
- [suse-security] Chrooted services
  - From: Togan Muftuoglu
- Re: [suse-security] Chrooted services
  - From: Volker Kuhlmann
- Re: [suse-security] Chrooted services
  - From: Togan Muftuoglu
- Re: [suse-security] Chrooted services
  - From: Volker Kuhlmann

Prev by Date: Re: [suse-security] Chrooted services
Next by Date: Re: [suse-security] Chrooted services
Previous by thread: Re: [suse-security] Chrooted services
Next by thread: Re: [suse-security] Chrooted services
Index(es):
- Date
- Thread