[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Apache running as root . . . .
- Subject: Re: [cobalt-security] Apache running as root . . . .
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Mon, 11 Feb 2002 21:12:15 -0800
- Organization: nobaloney.net
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Matthew Nuzum wrote:
> My 2 cents:
> I think many of us agree that it would be interesting to provide this
> type of service. (service being jailed/chrooted shell accounts) There
> are some possibilities for this in existence now, including (I believe)
> freevsd which is often mistaken for a completely different product,
> freeBSD.
Funny you should bring that up. A month ago I was ready to open a
"jailed/chrooted shell account service using FreeBSD, because of the
"jail". I didn't because everyone on the various FreeBSD lists,
including those who recommended freeVsd, said I'd be crazy, that I'd
spend the rest of my life chasing hackers and crackers.
> You would not have to re-write Linux to provide this service, but you
> would have to write some type of daemon process that behaves just like
> in.telnetd, but is confined to a chrooted area.
>
> I'm not sure exactly how freevsd does this, but I do know it's probably
> not feasible, as it requires a complete 'filesystem within a filesystem'
> so that users can have the executables that they desire.
Even the freeBSD "jail" command requires this. The only way around it
is the way Proftpd does it; by writing the commands (ls, etc.) directly
into the command.
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484