[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Apache running as root . . . .
- Subject: RE: [cobalt-security] Apache running as root . . . .
- From: "John Adair" <J.Adair@xxxxxxxxxxxxxxxx>
- Date: Mon, 11 Feb 2002 15:45:13 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
These links are for people who would actually like to chroot Apache.
http://penguin.epfl.ch/chroot.html
http://www.jtz.org.pl/Inne/Apache_chroot_mini_HOWTO.html
http://home.iae.nl/users/devet/apache/chroot/
- - -
Opinions expressed do not necessarily represent the views of my employer.
This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient,
please telephone, fax or e-mail to the sender without delay. Return this
message or delete this message and any attachment from your system as per
our request. If you are not the intended recipient you must not copy this
message or attachments or disclose the contents to any other person.
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of
> Matthew Nuzum
> Sent: Monday, February 11, 2002 3:16 PM
> To: cobalt-security
> Subject: Re: [cobalt-security] Apache running as root . . . .
>
>
> My 2 cents:
> I think many of us agree that it would be interesting to provide this
> type of service. (service being jailed/chrooted shell
> accounts) There
> are some possibilities for this in existence now, including
> (I believe)
> freevsd which is often mistaken for a completely different product,
> freeBSD.
>
> You would not have to re-write Linux to provide this service, but you
> would have to write some type of daemon process that behaves just like
> in.telnetd, but is confined to a chrooted area.
>
> I'm not sure exactly how freevsd does this, but I do know
> it's probably
> not feasible, as it requires a complete 'filesystem within a
> filesystem'
> so that users can have the executables that they desire. (obviously,
> any executables outside of the chroot area are inaccessible)
> Maybe with
> judicious use of hardlinking, this would be possible (except that /usr
> is on a different filesystem than /home making hard links impossible).
>
> I'm going to get around to installing freevsd soon. If you
> really want
> to allow your users to have safe shell access to the server,
> then maybe
> you should too.
>
> Matt Nuzum
> P.S. maybe freevsd is installable on Cobalt Raqs?
>
> On Mon, 2002-02-11 at 12:59, Jeff Lasman wrote:
> Michael Stauber wrote:
>
> > Correct, ProFTPd does this. However, it would be very
> desireable if SSH and
> > Telnet would do so by default as well.
>
> And you're suggesting we rewrite linux how, Michael <wry grin>?
>
> You can jail each customer into his/her own space, (the
> virtual server
> approach), and yes, you might want to do that. But it's
> not something
> that the RaQ does. Or will do, likely.
>
> See "man jail" on a freeBSD system <smile>.
>
> Jeff
> --
> Jeff Lasman <jblists@xxxxxxxxxxxxx>
> Linux and Cobalt/Sun/RaQ Consulting
> nobaloney.net
> P. O. Box 52672, Riverside, CA 92517
> voice: (909) 778-9980 * fax: (702) 548-9484
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>