Jesse Pasichnyk wrote:
Christopher,
Thanks for the heads up, I will definitely test out my chroot environment
for security.
Is it possible to create a "safe" chroot if it has mono installed in it?
(inlcuding the compiler)
I have a quick question about mounting my /proc filesystem into my jail
environment. I have a common jail environment at /home/jail, this gets
mounted into each persons home directory at /home/username/.jail, using
mount --bind. I then symlink each of the required folders usr,lib,proc,var
and such into the root of the users directory so I only need to mount one
single folder into their home directory.
I'm seeing a few weird things though (running redhat el4). When I mount my
proc filesystem into /home/jail/proc I can do a "ls -la /home/jail/proc" and
see all the files, however it doesn't show up in a "df|grep proc".
Did you copy over mtab as well? That usually shows what is currently
mounted. Also there are ways to control what is displayed from df.
Further, there are other security risks involved with users sharing the
same chroot path. (It does seem that you are trying to put each user in
a unique jail, but...?)
Anyhow, I'm wondering what put you down this chroot path? What exactly
is your goal besides simply chrooting mono? If you're truly concerned
with security I'd recommend starting with one of the hardened
distributions.. (Which one is up to you.) These should provide a little
better out of box security and allow you to get your end result.
Good luck,
C.
_______________________________________________
Mono-list maillist - Mono-list@lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-list
