Re: Putting Apache, PHP, Tomcat and CGI in a jail
The first thing I do not like is that makejail needs a lot of additional software: python, stat, file etc.. As we all know, on production systems is better to have less software because of potential security holes. OK, we can remove all software after instalation, but how to upgrade then chrooted applications, install python, etc. again? Second, it does not create $CHROOT/etc/passwd and $CHROOT/etc/group correct. We can do it by hand, but can we trust a program (script) which can not do: gawk -F":" '$1 ~ /apache/' /etc/passwd > $CHROOT/etc/passwd ? I do not think so. Now I try write a script for creation of chrooted environment which uses standart unix tools: bash, ldd, gawk (awk), grep, file. In case of success I send link to you ;-) Regards, Martynas Sk, 2003-01-05 02:16, Javier Fernández-Sanguino Peña rašė: > On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote: > > Hi, I'm currently trying to use makejail... it does not work very good. > > Could you elaborate more on this? I would like to know which issues > have you come up with. > > Also, you might want to take a loot at the (recent) Appendix added > to the "Securing Debian Manual" on how to setup a chroot environment for > Apache: > http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html > > Regards > > Javi
Re: Putting Apache, PHP, Tomcat and CGI in a jail
> "Stefano" == Stefano Salvi <[EMAIL PROTECTED]> writes: Stefano> I'm setting up my new server, based on Debian Woody. I Stefano> have to host our school website. This site uses parts Stefano> written in PHP4, and some CGIs. I also want to setup Stefano> tomcat for a future possible use of JSP an servlets. I Stefano> think it would be wise to put all this stuff in a chroot Stefano> jail, but I wonder if it is at all possible. Makejail Or try user-mode-linux.sf.net. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK]
Re: Putting Apache, PHP, Tomcat and CGI in a jail
El sáb, ene 04, 2003 at 10:34:34 -0500, George Georgalis escribió: > http://www-106.ibm.com/developerworks/linux/library/l-freevsd.html > http://www.freevsd.org/ > freeVSD is an advanced web-hosting platform. It allows multiple Virtual > Servers to be created on a single hosting server. vserver (http://www.solucorp.qc.ca/miscprj/s_context.hc) seems an attractive kernel level alternative. -- Pablo.
Re: [d-security] Re: Putting Apache, PHP, Tomcat and CGI in a jail
Hi On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote: > Hi, I'm currently trying to use makejail... it does not work very good. > Simple way is copy /bin/bash with libraries (try ldd /bin/bash to find > out which libs you need), so you can do chroot /your/chroot/dir. After > do dpkg -L apache and copy contents of apache package to chroot, also > repeat it with apache-common, tomcat, libapache-mod-php and so on. Then A different approach is to use the "sbox" command. It allowes you to not only chroot each virtual host into it's own space but also runs programs under different UIDs so that malicious users may not kill other users processes. If you disable some options and .shtml support and compile PHP as standalone executable (then works via mod_rewrite as CGI) it works really fine! At least it's the least resource consuming method I know that seperates filesystems and uids for the vhosts. (although I haven't tested user-mode-linux yet which sounds very promising, too) bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller
Re: Putting Apache, PHP, Tomcat and CGI in a jail
On Sun, Jan 05, 2003 at 12:59:47PM +0100, Adrian Phillips wrote: > > "Stefano" == Stefano Salvi <[EMAIL PROTECTED]> writes: > > Stefano> I'm setting up my new server, based on Debian Woody. I > Stefano> have to host our school website. This site uses parts > Stefano> written in PHP4, and some CGIs. I also want to setup > Stefano> tomcat for a future possible use of JSP an servlets. I > Stefano> think it would be wise to put all this stuff in a chroot > Stefano> jail, but I wonder if it is at all possible. Makejail > > > Or try user-mode-linux.sf.net. (and/or apt-get install user-mode-linux) -- - mdz
Re: How to get the current security updates on CD?
SteX <[EMAIL PROTECTED]> writes: > In a stormy day a lighting flash occurred: it carried the message from [EMAIL > PROTECTED]: > > § How can I get the security updates in CD form? > § I went to http://www.debian.org/security, but I couldn't find anything > § like CD images. > > You better add the following lines in /etc/apt/sources.list You don't want to this with critical production systems. apt-get does not verify the authenticity of the packages. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
Re: Putting Apache, PHP, Tomcat and CGI in a jail
The first thing I do not like is that makejail needs a lot of additional software: python, stat, file etc.. As we all know, on production systems is better to have less software because of potential security holes. OK, we can remove all software after instalation, but how to upgrade then chrooted applications, install python, etc. again? Second, it does not create $CHROOT/etc/passwd and $CHROOT/etc/group correct. We can do it by hand, but can we trust a program (script) which can not do: gawk -F":" '$1 ~ /apache/' /etc/passwd > $CHROOT/etc/passwd ? I do not think so. Now I try write a script for creation of chrooted environment which uses standart unix tools: bash, ldd, gawk (awk), grep, file. In case of success I send link to you ;-) Regards, Martynas Sk, 2003-01-05 02:16, Javier Fernández-Sanguino Peña raÅ¡Ä: > On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote: > > Hi, I'm currently trying to use makejail... it does not work very good. > > Could you elaborate more on this? I would like to know which issues > have you come up with. > > Also, you might want to take a loot at the (recent) Appendix added > to the "Securing Debian Manual" on how to setup a chroot environment for > Apache: > http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html > > Regards > > Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Putting Apache, PHP, Tomcat and CGI in a jail
> "Stefano" == Stefano Salvi <[EMAIL PROTECTED]> writes: Stefano> I'm setting up my new server, based on Debian Woody. I Stefano> have to host our school website. This site uses parts Stefano> written in PHP4, and some CGIs. I also want to setup Stefano> tomcat for a future possible use of JSP an servlets. I Stefano> think it would be wise to put all this stuff in a chroot Stefano> jail, but I wonder if it is at all possible. Makejail Or try user-mode-linux.sf.net. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Putting Apache, PHP, Tomcat and CGI in a jail
El sáb, ene 04, 2003 at 10:34:34 -0500, George Georgalis escribió: > http://www-106.ibm.com/developerworks/linux/library/l-freevsd.html > http://www.freevsd.org/ > freeVSD is an advanced web-hosting platform. It allows multiple Virtual > Servers to be created on a single hosting server. vserver (http://www.solucorp.qc.ca/miscprj/s_context.hc) seems an attractive kernel level alternative. -- Pablo. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: Putting Apache, PHP, Tomcat and CGI in a jail
Hi On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote: > Hi, I'm currently trying to use makejail... it does not work very good. > Simple way is copy /bin/bash with libraries (try ldd /bin/bash to find > out which libs you need), so you can do chroot /your/chroot/dir. After > do dpkg -L apache and copy contents of apache package to chroot, also > repeat it with apache-common, tomcat, libapache-mod-php and so on. Then A different approach is to use the "sbox" command. It allowes you to not only chroot each virtual host into it's own space but also runs programs under different UIDs so that malicious users may not kill other users processes. If you disable some options and .shtml support and compile PHP as standalone executable (then works via mod_rewrite as CGI) it works really fine! At least it's the least resource consuming method I know that seperates filesystems and uids for the vhosts. (although I haven't tested user-mode-linux yet which sounds very promising, too) bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Putting Apache, PHP, Tomcat and CGI in a jail
On Sun, Jan 05, 2003 at 12:59:47PM +0100, Adrian Phillips wrote: > > "Stefano" == Stefano Salvi <[EMAIL PROTECTED]> writes: > > Stefano> I'm setting up my new server, based on Debian Woody. I > Stefano> have to host our school website. This site uses parts > Stefano> written in PHP4, and some CGIs. I also want to setup > Stefano> tomcat for a future possible use of JSP an servlets. I > Stefano> think it would be wise to put all this stuff in a chroot > Stefano> jail, but I wonder if it is at all possible. Makejail > > > Or try user-mode-linux.sf.net. (and/or apt-get install user-mode-linux) -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to get the current security updates on CD?
SteX <[EMAIL PROTECTED]> writes: > In a stormy day a lighting flash occurred: it carried the message from >[EMAIL PROTECTED]: > > § How can I get the security updates in CD form? > § I went to http://www.debian.org/security, but I couldn't find anything > § like CD images. > > You better add the following lines in /etc/apt/sources.list You don't want to this with critical production systems. apt-get does not verify the authenticity of the packages. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Putting Apache, PHP, Tomcat and CGI in a jail
OK people. I'm not sure that I had reason to do it - you will tell me. I wrote a script for chrooting applications (FOR DEBIAN ONLY). You can find it: http://joker.hansabank.lt/mkchroot I tried to chroot perl, apache, libapache-mod-ssl. I think it should chroot php4 and phplib. CGI runs as on normal apache... Comments and usage instructions are inside the script. Regards, Martynas Sk, 2003-01-05 05:34, George Georgalis raðë: > On Sun, Jan 05, 2003 at 01:16:31AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: > >On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote: > >> Hi, I'm currently trying to use makejail... it does not work very good. > > > > Could you elaborate more on this? I would like to know which issues > >have you come up with. > > > > Also, you might want to take a loot at the (recent) Appendix added > >to the "Securing Debian Manual" on how to setup a chroot environment for > >Apache: > >http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html > > > > Cool, here are some more links, > > http://penguin.epfl.ch/chroot.html > apache chroot > http://www-106.ibm.com/developerworks/linux/library/l-freevsd.html > http://www.freevsd.org/ > freeVSD is an advanced web-hosting platform. It allows multiple Virtual > Servers to be created on a single hosting server. > > > // George > > -- > GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 > Security Services, Web, Mail,mailto:[EMAIL PROTECTED] > Multimedia, DB, DNS and Metrics. http://www.galis.org/george > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
