On 5/24/06, Happy Kamote Foundation <[EMAIL PROTECTED]> wrote:
bind-mounting is NOT a PRACTICAL and RECOMMENDED approach in chrooting a service.
Of course, I will agree whole-heartedly for that, but I never suggested it to be done for a production service; I simply imagined that it would be an option that could be taken, in light of the situation wherein you may have a user or group of users who you want to pull the chroot tricks off to. Whether if it is feasible or not depends on the site's (OP) policy, and not just on some spinster's cracks book.
Ang bind-mounting naman diba kadalasan ginagamit yan sa ibang bagay, example : running 32 bit apps on a 64 bit platform sa debian (yan ha! debian pa yan) pero hindi for security purposes like JAILING a process.
Yes, that is true; I imagined that a bind-mount of an existing /home would be nice as a convenience feature, but eventually that would be improved upon by tightening site policy once migration has been done (transparently.) You know what, forget what I said about the bind-mount; if I can't say what I can imagine would be a `relatively nice' idea without someone else yapping rudely at my face, then I'd better keep silent.
Since you mentioned bind-mounting via packaging (chroot/chroot/chroot haha) Hindi ko makita yung security essence ng ginagawa mo. Ang alam ko fake-root packaging kadalasan for SANITY purposes, and NOT for security purposes which is aligned to this topic (e.g. chrooting a machine with net service such as a webserver)
There wasn't a security essence, for there is none. Security is just as strong as the weak link in the chain, and yeah, there is no point for you (or even me) to discuss anything more about it. And besides, the thread was about chrooting a user, not just jailing a process service like FTP or somesuch. If it were just that, then the set of considerations for chrooting would have been much, much smaller, and we wouldn't be dissing off on some petty matter concerning sudo, chroots and their usage. However, since this concerns real users who may be identified as `potentially hostile,' you will at the very least continue investigation into them without sounding the alarms...
remember grsec? (oo linux yun e!) ang alam ko isa sa mga SECURITY feature niya is to PREVENT RECURSIVE CHROOTING. *cough cough*
Yeah, grsec... it has been a long time since I've heard the word. Thanks for reminding me, I'll try that soon ;-)
as an example if you can give me a ROOT account in your impressively recursive chroot environment. I can love your linux long time. :)
Careful. If you have nothing good to say, don't say it at all. Go and love your own boxen. Cheers, Zakame -- Zak B. Elep || http://zakame.spunge.org [EMAIL PROTECTED] || [EMAIL PROTECTED] 1486 7957 454D E529 E4F1 F75E 5787 B1FD FA53 851D
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
