Re: running services in their own little world

["Karsten M. Self" <karsten@linuxmafia.com>]

on Sat, Jul 24, 2004 at 11:43:39AM -0500, hanasaki (hanasaki@hanaden.com) wrote:

> Steve Suehring wrote:
> >*All* services in /etc/init.d?  Do you mean /etc/inetd.conf services? 
> >Could you narrow down the services that you'd like to chroot?  Some
> >services are fairly trivial to chroot while others are more involved and
> >require some thought before dumping into a chroot.  
> >
> >You might have a look at makejail to see if it provides any value for 
> >you.
> >
> >Steve
> >
> >On Fri, Jul 23, 2004 at 07:09:01PM -0500, hanasaki wrote:
> >
> >>Any package in Debian that will automatically run all /etc/init.d based 
> >>deamons in jail / chroot?

> The idea is to run bind, http and other servers in a jail.  I am just
> getting started and know little about it, for now.  I was hoping that
> there were Debian packages that already provided the jail(s) to run
> these services in.
> 
> thanks.


Pleast post reply beneath quoted text and trim appropriatedly (you too,
Steve ;-)

As prior posts said:  you have to think this through.  Samba, for
example would need access to /home, for a typical setup.  bind is
readily chrooted (and advisably so).  Apache less readily.  ntpd could
probably be jailed.  It's the stuff that largely talks through sockets
and doesn't need extensive filesystem access that's going to be easiest
to segregate.

Look at your risk model.  Look at the services you (need to) run.  Look
at firewalling and other security measures.


Chroot isn't a be-all, end-all solution.  It's useful.  It's a tool.  No
silver bullets here.  Keep this in mind.


Peace.

-- 
Karsten M. Self <karsten@linuxmafia.com>        http://linuxmafia.com/~karsten
    Ceterum censeo, Caldera delenda est.