misiu wrote:
Hello all,
I'm new to OpenBSD, I installed it a few times but than did not know
what to do realy. Right now I'm little more experienced with Linux and I
thought give it a nother try.
Now I'm runnin an Openbsd 3.9 Box.
Default setup. I try to run a Webmailbox and later Openvpn.
It did not work so I searched long for an answer. I started httpd -u and
now Openwebmail is running. I read allso that it is insecure, how can I
run httpd chrooted and Openwebmail? Did not find any (for me
understandable) answer.
You are getting some good advice on chrooting in GENERAL, but kinda
missing your specific case by a wide margine.
What does chroot do? Confine an untrusted app within a section of your
file system, preferably one in which they have no write access, so if
the app has a security problem, the damage is minimized. Doesn't make
the app more secure by itself.
BUT...
you need write access. So you grant it.
You need libraries, you copy them over.
You need programs, you copy them over.
You need root access, you grant it.
by this point, you have lost just about all the advantage of chroot, and
spent a lot of time doing it.
Look at OpenWebmail. Neat program for a basic webmail app (and
considerably better than some commercial webmail programs). Amazingly
self-contained, doesn't need an IMAP server. Just off the top of my
head, having installed it in a trial environment a few years ago, it
needs AT LEAST the following:
access to sendmail binaries
access to /var/mail
access to /home
root (that's how it reads the mbox files in /var/mail and /home)
perl
The thing needs root. Gotta have root. No root, no work. If you got
root, you can probably escape from a chroot.
Much better than worrying about chroot'ing OpenWebmail, just put it on a
"disposable" box, with no other secure apps, and make sure you use
passwords/keys on it that don't show up elsewhere on machines you
maintain. Box gets owned? shut it down, figure out what went wrong,
rebuild and repair.
Some places, chrooting is great.
However, simply tossing enough stuff in the chroot to make your app run
does NOT automatically mean the app (or your box!) is any more secure
when done than it was before.
By the time you copy everything over to the chroot, you have not really
gained much advantage /in this case/.
Openwebmail is not good explained too. Has anyone installed it ? (I
guess for shure) would that one please contact me offlist?
I don't whant step by step help just to shed a little light in....
been a while...but a few hints:
var needs to be able to exec code and no "nosuid", which IS there on
default OpenBSD installs. Put your home directories physically in /var
if you expect quotas to work as expected, you can symlink them back to
/home if that freaks you out excessively.
That's about all I remember. Oh, and don't have 25 kids change their
PWs all at the same time unless you have around 600M of RAM+Swap
available. Ouch...
Nick.