[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Apache running as root . . . .
- Subject: Re: [cobalt-security] Apache running as root . . . .
- From: "Tsukaeru.net Webmaster" <webmaster@xxxxxxxxxxxx>
- Date: Tue, 12 Feb 2002 10:21:06 +0900
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I have used chrsh on a RAQ4 with good results. However, since the number of
NFS mounts is limited to 256 ( I think),
it also limits the number of users you can put on the server. That is, if
you create a jail that prevents users seein eachothers files etc.
Jason
----- Original Message -----
From: "Michael Stauber" <cobalt@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, February 12, 2002 6:24 AM
Subject: Re: [cobalt-security] Apache running as root . . . .
> Hi Matt,
>
> > You would not have to re-write Linux to provide this service, but you
> > would have to write some type of daemon process that behaves just like
> > in.telnetd, but is confined to a chrooted area.
>
> Correct. You see, a co-worker of mine is a contributor / developer for
> Rocklinux and they use the following approach for SSH and FTP:
>
> They do an NFS-export of the users home directory and of /usr/local/bin
and
> /usr/local/sbin
>
> Then they create a chrooted jail into which they mount the users home
> directory and the directories with the executables the user needs. The
jail
> also contains its own /tmp and /dev/null and a few other essentials. Of
> course NFS / Portmapper is blocked to the outside world by a firewall
rule.
>
> Creating the jail isn't the problem, even on the Cobalts.
>
> There certainly is a better ressource than the URL below, but you might
want
> to look at it for the general idea:
>
>
http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3
/chap21sec167.html
>
> As for SSH or a daemon that "spawns" into the jail ... this can possibly
done
> without a rewrite of the daemon. Maybe as easy as by substituting a
special
> shell for all the "jailed" users. See URL below:
>
> http://www.aarongifford.com/computers/chrsh.html
>
> I haven't tested "chrsh" yet, but I'll do so this weekend when I have some
> time at hand. It sounds quite promising.
>
> --
>
> With best regards,
>
> Michael Stauber
> mstauber@xxxxxxxxxxxxxx
> Unix/Linux Support Engineer
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>