Re: Chrooted packages, where to put them?

To: Marek Habersack <grendel@vip.net.pl>
Cc: "Marco d'Itri" <md@linux.it>, debian-devel@lists.debian.org
Subject: Re: Chrooted packages, where to put them?
From: Stephen Frost <sfrost@mail.snowman.net>
Date: Wed, 24 May 2000 12:10:54 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.05.10005241201570.24313-100000@ns.snowman.net>
In-reply-to: <[🔎] 20000524174548.A6262@vip.net.pl>

On Wed, 24 May 2000, Marek Habersack wrote:

> ** On May 24, Stephen Frost scribbled:
> > 	I would have to agree with this...  bind should not be running as root,
> > and would be best if it was run in a chroot jail.  I set it up here and it was
> > not a very complex process, perhaps once I get more experiance I'll try and do
> > something to better automate the process.
> Setting up itself isn't hard. The harder part is to package it that way. I
> think we should have (assuming more daemons will run chrooted) a separate
> package providing the chroot framework. I imagine it would provide something
> like that:
> 
> /var/chroot/
> /var/chroot/lib <- all the libraries go here
> /var/chroot/etc <- necessary config files
> 
> The chrooted daemons would be installed in a package/ subdir of the chroot
> tree, e.g.:
> 
> /var/chroot/bind
> 
> and create structure of their own hardlinking the libraries and /etc files
> from the /var/chroot/ tree (for that to work all of the packages must be on
> one filesystem). They would run chrooted into their /var/chroot/package/
> directory. All packages would require the chroot package (e.g. chroot-base).
> Comments?

	This seems very similar to the way I had started setting things up on
my system.  I actually made a seperate filesystem (/chroot) and stuck bind under
it (/chroot/bind).  I'm trying to think of problems, and I think we'll want to
be careful with the hardlinking.  The idea of having something in a chroot jail
is that if someone breaks into it, they can't affect anything else.  If a
library is shared between two packages and it can be modified by someone in one
of the chroot'ed environments, that could affect the other chroot'ed environments.
	The way I compiled bind, IIRC, was to statically compile it so as to not
have it depend on any libraries.  Now, this does take it up from 452k to 1.8M,
so I can see the desire to avoid that.  This would also require totally seperate
packages for everything offered chroot'ed, but then, if something chroot'ed can
affect something else chroot'ed, there doesn't seem alot of point to having it
chroot'ed to begin with.
	For the /etc strucuture, I take it we'll only be hardlinking the files
which are used by a package into that package's /var/chroot/bind/etc dir?  For
the reason I mentioned above I think we want to avoid hardlinking the actual
directory.
	Just my thoughts...

		Stephen

Reply to:

Follow-Ups:
- Re: Chrooted packages, where to put them?
  - From: grendel@vip.net.pl (Marek Habersack)
- Re: Chrooted packages, where to put them?
  - From: Robert Bihlmeyer <robbe@orcus.priv.at>

References:
- Re: Chrooted packages, where to put them?
  - From: grendel@vip.net.pl (Marek Habersack)

Prev by Date: Re: minimal boot/install CD
Next by Date: Re: netscape 4.73 in potato?
Previous by thread: Re: Chrooted packages, where to put them?
Next by thread: Re: Chrooted packages, where to put them?
Index(es):
- Date
- Thread