Re: putting Apache into chroot()-prison
On Sun, Dec 31, 2000 at 12:01:48AM -0800, Nate Amsden wrote: > Nathan E Norman wrote: > > > Do you realise you quoted 40 lines of the original message and added 1 > > meaningful line? What a waste of bandwidth. > > hah. my 1meg dsl line runs average at 2.8% for the past week, > i got plenty of bandwidth to spare :P Oh, so you're now hosting the Debian mailing lists? (hint: unless you are, you are not providing the -real- bandwidth needed to carry this list. Your comment is about as appropriate as responding to a hungy person with "oh, but I have lots of food, it's okay for me to throw it away")
Re: putting Apache into chroot()-prison
Nathan E Norman wrote: > Do you realise you quoted 40 lines of the original message and added 1 > meaningful line? What a waste of bandwidth. hah. my 1meg dsl line runs average at 2.8% for the past week, i got plenty of bandwidth to spare :P http://portal.aphroland.org/mrtg/ nate -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]
Re: putting Apache into chroot()-prison
From what I've been able to gather, chroot can be secure, but only if the user can never get root. FreeBSD's jail had a recent problem. Mounting /proc inside the chroot is not a good idea. In a message dated 12/27/00 7:01:21 PM Eastern Standard Time, [EMAIL PROTECTED] writes: not to discourage youb ut its pretty well known chroot() is not an ultimate solution for security, it has been in the past rather easy to break out of it, from what i remember you may be better off running freebsd and it's jail() (??) function which is a suped up chroot(). all im trying to say is don't expect chroot() to improve seucrity much, a determined cracker can defeat it(esp on linux) pretty easy. search BUGTRAQ for the discussions on the latest BIND problems(probably about 6 months ago..) interesting discussions.
Re: putting Apache into chroot()-prison
Subject: Re: putting Apache into chroot()-prison Date: Thu, Dec 28, 2000 at 03:19:53PM -0600 In reply to:Nathan E Norman Quoting Nathan E Norman([EMAIL PROTECTED]): > > No, it's a company as demonstrated by the "Micromuse Inc.". `whois > micromuse.com', and a look at http://www.micromuse.com. Thanks for the > well thought out attempt at a put-down. I'll avoid condescending > remarks based on your email address. Very well done Nathan, I was about to reply to the original poster as well but you did it much better! I am getting really tired of the lack of manners when it comes to mail on this list. Regards Wayne -- You had mail, but the super-user read it, and deleted it! ___
Re: putting Apache into chroot()-prison
On Thu, Dec 28, 2000 at 04:02:03PM -0500, [EMAIL PROTECTED] wrote: > > Hey Norman, The name's Nathan ... I realize it's a difficult name to parse. >As an unbiased observer I will comment on your > comment concerning the quote/content ratio of the other > poster. You have your preferences. Tons of flamewars are > started when people selectively quote and people respond > t o statementso the out of context. Nine lines is an > excessive .sig, I grant. I've never used a .sig though, so > I can say that. My comments (and preferences) are based on long-standing Use-Net tradition which is generally followed by caring mailing list participants. When in Rome, do as the Romans do and all that. You should quote enough material so that successive posters can't take a quote out of context. You don't need to quote everything, especially sigs and blank lines. >If you want to pass a law, write your representative, > or become a representative. I don't believe I said anything about passing a law. What are you, some kind of troll? > Hey, is micro muse a statement about small thoughts? No, it's a company as demonstrated by the "Micromuse Inc.". `whois micromuse.com', and a look at http://www.micromuse.com. Thanks for the well thought out attempt at a put-down. I'll avoid condescending remarks based on your email address. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpIjWaybUjdZ.pgp Description: PGP signature
Re: putting Apache into chroot()-prison
On Thu, Dec 28, 2000 at 01:35:50PM +0400, Rino Mardo wrote: > On Wed, Dec 27, 2000 at 03:57:27PM -0800 or thereabouts, Nate Amsden wrote: [ 21 lines deleted ] > > not to discourage youb ut its pretty well known chroot() is not > > an ultimate solution for security, it has been in the past > > rather easy to break out of it, from what i remember you > > may be better off running freebsd and it's jail() (??) > > function which is a suped up chroot(). all im trying to say > > what about OpenBSD (OAMP)? What about it? If OpenBSD has jail() I expect the same reasoning applies. [ 19 lines deleted + 9 for sig ] Do you realise you quoted 40 lines of the original message and added 1 meaningful line? What a waste of bandwidth. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpzzwWoVUwh9.pgp Description: PGP signature
Re: putting Apache into chroot()-prison
On Wed, Dec 27, 2000 at 03:57:27PM -0800 or thereabouts, Nate Amsden wrote: > "R. M. Lampert" wrote: > > > > Hi, folks! > > > > Due to some very unpleasant experience in the company > > I'm working at (rootshell attack due to a buffer overflow > > intrusion in httpd...) there's a great need with us > > to inform thoroughly about changing to a safer environment, > > that is LAMP or even better NAMP (NetBSD, Apache ... there > > are some very unpalatable truths in the world, indeed!). > > > > Of topmost interest is building Apache and everything > > that is associated with it (particularly MySQL, PHP, Perl) > > within a chroot() environment to lock intruders within > > this special ,,root directory``. > > > > Do you know any pointer to chroot()-information that includes > > some kind of HOWTO rather than a list of advantages of this > > approach? > > > not to discourage youb ut its pretty well known chroot() is not > an ultimate solution for security, it has been in the past > rather easy to break out of it, from what i remember you > may be better off running freebsd and it's jail() (??) > function which is a suped up chroot(). all im trying to say what about OpenBSD (OAMP)? > is don't expect chroot() to improve seucrity much, a determined > cracker can defeat it(esp on linux) pretty easy. search BUGTRAQ > for the discussions on the latest BIND problems(probably > about 6 months ago..) interesting discussions. > > nate > > -- > ::: > ICQ: 75132336 > http://www.aphroland.org/ > http://www.linuxpowered.net/ > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Key fingerprint = 9DE1 5825 77B4 FF45 7485 D3EB DCCF DE48 09B6 4426 "Who's watching the watchmen?" pgpQ8QSnFN80Y.pgp Description: PGP signature
Re: putting Apache into chroot()-prison
"R. M. Lampert" wrote: > > Hi, folks! > > Due to some very unpleasant experience in the company > I'm working at (rootshell attack due to a buffer overflow > intrusion in httpd...) there's a great need with us > to inform thoroughly about changing to a safer environment, > that is LAMP or even better NAMP (NetBSD, Apache ... there > are some very unpalatable truths in the world, indeed!). > > Of topmost interest is building Apache and everything > that is associated with it (particularly MySQL, PHP, Perl) > within a chroot() environment to lock intruders within > this special ,,root directory``. > > Do you know any pointer to chroot()-information that includes > some kind of HOWTO rather than a list of advantages of this > approach? not to discourage youb ut its pretty well known chroot() is not an ultimate solution for security, it has been in the past rather easy to break out of it, from what i remember you may be better off running freebsd and it's jail() (??) function which is a suped up chroot(). all im trying to say is don't expect chroot() to improve seucrity much, a determined cracker can defeat it(esp on linux) pretty easy. search BUGTRAQ for the discussions on the latest BIND problems(probably about 6 months ago..) interesting discussions. nate -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]
Re: putting Apache into chroot()-prison
Here are a couple links which should help you get on your way. (Thanks to Stas Bekman, just another mod_perl hacker) http://www.securityfocus.com/focus/sun/articles/apache-inst.html http://forum.swarthmore.edu/epigone/modperl/stimlorthen
putting Apache into chroot()-prison
Hi, folks! Due to some very unpleasant experience in the company I'm working at (rootshell attack due to a buffer overflow intrusion in httpd...) there's a great need with us to inform thoroughly about changing to a safer environment, that is LAMP or even better NAMP (NetBSD, Apache ... there are some very unpalatable truths in the world, indeed!). Of topmost interest is building Apache and everything that is associated with it (particularly MySQL, PHP, Perl) within a chroot() environment to lock intruders within this special ,,root directory``. Do you know any pointer to chroot()-information that includes some kind of HOWTO rather than a list of advantages of this approach? Thanx in advance, -- Matthias Lampert .^. Graal-Müritzer-Str. 1b || /V\ 22885 Barsbüttel ||/( )\ Tel: (040) 670 89 445 || ^^-^^
