Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Re: how to chroot shell accounts
From: J C Lawrence (clawKANGA.NU)
Date: Thu Oct 05 2000 - 02:11:19 CDT
- Next message: J C Lawrence: "Re: Snort"
- Previous message: John Paul Martin: "Re: Snort"
- Maybe reply: J C Lawrence: "Re: how to chroot shell accounts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 4 Oct 2000 19:30:55 -0400
mute <datatwirlGIS.NET> wrote:
> Should all daemons on the system run inside chroot?
Its a choice. Its not necessarily a BAD choice per se, but it can
be a difficult one to justify in many cases.
> Is it possible to make all of them run with chroot?
Outside of things like SSH (for obvious reasons if used for SysAdm),
yes. One can even recurse and create chroot jails inside of chroot
jails. The value in doing such becomes quickly debatable.
> Like, i know apache runs under chroot...
Not typically, no it doesn't, or not that I've seen. The only
daemons I can think of that very commonly run or even by default (in
vendor packages) run in chroot jails are BIND, FTPd and
occassionally your MTA.
> Or am i simply confused, and all daemons by default run inside
Security is a game of intelligent and educated risk assessment.
Chroot jails are a tool. They are not a panacea. Chroot jails are
*NOT* secure if root has been compromised within the jail. Chroot
jails can help your security model, they can help mitigate certain
classes of risks, but they certainly are not the be-all and end-all
of server-side network security. They're just something that helps
noticably on certain risk assessments and cases.
-- J C Lawrence Home: clawkanga.nu ---------(*) Other: coderkanga.nu http://www.kanga.nu/~claw/ Keys etc: finger clawkanga.nu --=| A man is as sane as he is dangerous to his environment |=--