[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Apache running as root . . . .

Subject: Re: [cobalt-security] Apache running as root . . . .
From: Matthew Nuzum <cobalt@xxxxxxxxxxxxx>
Date: 11 Feb 2002 15:16:02 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

My 2 cents:
I think many of us agree that it would be interesting to provide this
type of service.  (service being jailed/chrooted shell accounts)  There
are some possibilities for this in existence now, including (I believe)
freevsd which is often mistaken for a completely different product,
freeBSD.

You would not have to re-write Linux to provide this service, but you
would have to write some type of daemon process that behaves just like
in.telnetd, but is confined to a chrooted area.

I'm not sure exactly how freevsd does this, but I do know it's probably
not feasible, as it requires a complete 'filesystem within a filesystem'
so that users can have the executables that they desire.  (obviously,
any executables outside of the chroot area are inaccessible)  Maybe with
judicious use of hardlinking, this would be possible (except that /usr
is on a different filesystem than /home making hard links impossible).

I'm going to get around to installing freevsd soon.  If you really want
to allow your users to have safe shell access to the server, then maybe
you should too.

Matt Nuzum
P.S. maybe freevsd is installable on Cobalt Raqs?

On Mon, 2002-02-11 at 12:59, Jeff Lasman wrote:
    Michael Stauber wrote:

    > Correct, ProFTPd does this. However, it would be very desireable if SSH and
    > Telnet would do so by default as well.

    And you're suggesting we rewrite linux how, Michael <wry grin>?

    You can jail each customer into his/her own space, (the virtual server
    approach), and yes, you might want to do that.  But it's not something
    that the RaQ does.  Or will do, likely.

    See "man jail" on a freeBSD system <smile>.

    Jeff
    -- 
    Jeff Lasman <jblists@xxxxxxxxxxxxx>
    Linux and Cobalt/Sun/RaQ Consulting
    nobaloney.net
    P. O. Box 52672, Riverside, CA  92517
    voice: (909) 778-9980  *  fax: (702) 548-9484
    _______________________________________________
    cobalt-security mailing list
    cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- Re: [cobalt-security] Apache running as root . . . .
  - From: Gerald Waugh
- RE: [cobalt-security] Apache running as root . . . .
  - From: John Adair
- Re: [cobalt-security] Apache running as root . . . .
  - From: Michael Stauber
- Re: [cobalt-security] Apache running as root . . . .
  - From: Jeff Lasman

References:
- Re: [cobalt-security] POSSIBLE MAJOR SECURITY BREACH
  - From: Nico Meijer
- Re: [cobalt-security] Apache running as root . . . .
  - From: cbtrussell
- Re: [cobalt-security] Apache running as root . . . .
  - From: Gerald Waugh
- Re: [cobalt-security] Apache running as root . . . .
  - From: Michael Stauber
- Re: [cobalt-security] Apache running as root . . . .
  - From: Jeff Lasman

Prev by Date: RE: [cobalt-security] CMU Security problem [ /etc/shadow permissions ]
Next by Date: RE: [cobalt-security] Beyond me... RaQ Security Consultant needed
Previous by thread: Re: [cobalt-security] Apache running as root . . . .
Next by thread: Re: [cobalt-security] Apache running as root . . . .

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index