[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Apache running as root . . . .
- Subject: Re: [cobalt-security] Apache running as root . . . .
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Mon, 11 Feb 2002 22:24:27 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Matt,
> You would not have to re-write Linux to provide this service, but you
> would have to write some type of daemon process that behaves just like
> in.telnetd, but is confined to a chrooted area.
Correct. You see, a co-worker of mine is a contributor / developer for
Rocklinux and they use the following approach for SSH and FTP:
They do an NFS-export of the users home directory and of /usr/local/bin and
/usr/local/sbin
Then they create a chrooted jail into which they mount the users home
directory and the directories with the executables the user needs. The jail
also contains its own /tmp and /dev/null and a few other essentials. Of
course NFS / Portmapper is blocked to the outside world by a firewall rule.
Creating the jail isn't the problem, even on the Cobalts.
There certainly is a better ressource than the URL below, but you might want
to look at it for the general idea:
http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap21sec167.html
As for SSH or a daemon that "spawns" into the jail ... this can possibly done
without a rewrite of the daemon. Maybe as easy as by substituting a special
shell for all the "jailed" users. See URL below:
http://www.aarongifford.com/computers/chrsh.html
I haven't tested "chrsh" yet, but I'll do so this weekend when I have some
time at hand. It sounds quite promising.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer