Hi, I am building a server and I need to put services under chroot using compartment. Before I dive into it has anyone done this with SuSE 8.2 and is willing to share the chroot setups :-) (I know I am getting lazy yet after my German classes I can hardly think der die das why on the earth needed ) here are the apps I am planning to run apache with mod-php mod_perl and mod_ssl squirrelmail wu-imap snmpd squid Schönen Abend Mfg from Stuttgart -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
here are the apps I am planning to run
apache with mod-php mod_perl and mod_ssl squirrelmail wu-imap snmpd squid
sshd would be cool too... Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
* Volker Kuhlmann; <hidden@paradise.net.nz> on 12 Dec, 2003 wrote:
here are the apps I am planning to run
apache with mod-php mod_perl and mod_ssl squirrelmail wu-imap snmpd squid
sshd would be cool too...
OK I'll add it to my wish list along with cups. Now here is the approach I am planning to take 1) Create /etc/sysconfig/chroot.d directory and store configuration files for services to be chrooted. The configuration file should include files directories needed for the service 2) Create chroot-maker file which will basically read the /etc/sysconfig/chroot.d/FILENAME and create the chrooted environment 3)Modify the /etc/init.d/SERVICE file to include the chroot setup so I do not have to worry about if I need to prepare the chroot environment or not 4) I need to modify the /etc/sysconfig/syslog so the /chroot/DIR/dev/log will be available but is there a way that the init script checks the existence of chroot/DIR/dev/log and if not adds it on the fly Before I make a head start dive into deep water anything I am missing here ? I think this is better then the unsubscribe thread :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
1) Create /etc/sysconfig/chroot.d directory and store configuration files for services to be chrooted.
Please no, only one config file in /etc, copy that if needed. On SuSE 8.2 several services run chrooted already on demand, e.g. postfix and named, and SuSEconfig/rcservice maintain the chroot env automatically. Have a look at their mechanisms first, they seem pretty good.
2) Create chroot-maker file which will basically read the /etc/sysconfig/chroot.d/FILENAME and create the chrooted environment
If chroot.d/FILENAME contains a list of files needed in the chroot env for each service, that would be a good general approach. The tricky bit is to work out which files are needed. I tried with jail and sshd once but couldn't get it working.
3)Modify the /etc/init.d/SERVICE file to include the chroot setup so I do not have to worry about if I need to prepare the chroot environment or not
Yes.
I think this is better then the unsubscribe thread :-)
No doubt! Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
* Volker Kuhlmann; <hidden@paradise.net.nz> on 13 Dec, 2003 wrote:
1) Create /etc/sysconfig/chroot.d directory and store configuration files for services to be chrooted.
Please no, only one config file in /etc, copy that if needed. On SuSE 8.2 several services run chrooted already on demand, e.g. postfix and named, and SuSEconfig/rcservice maintain the chroot env automatically. Have a look at their mechanisms first, they seem pretty good.
Too late ( though you never know) yet my modified init scripts do the same they prepare the chroot environment and then start the service so no need to manually prepare the chrooted directory structure
2) Create chroot-maker file which will basically read the /etc/sysconfig/chroot.d/FILENAME and create the chrooted environment
If chroot.d/FILENAME contains a list of files needed in the chroot env for each service, that would be a good general approach.
Thats what I have done so far
The tricky bit is to work out which files are needed. I tried with jail and sshd once but couldn't get it working.
well I got snmpd working in chroot now (except the agents parts which I have not played with yet.) but the thing so far works with no problem I have gotten the ssh also in chrooted, the part I could not decide is how do I want to check the users authentication if I want to trust the /etc/passwd file I have to find a way to get the legitimate users in /chroot/sshd/etc/passwd or find another way of getting the users authenticated somehow as this is the part that is left. I do not think now getting squid or apache to be involved in the chroot game too difficult ( hope I am not mistaken ) The question is how many sockets can I create for syslogd to listen somewhere in my memory 19 is the magic number. If so is it better to change to syslog-ng or something else ? Desperately seeking my brain which is lost in the language dilemma :-( Mfg. von Stuttgart -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
This short description sounds nice, but I can't see how to do it. Is there a longer version available? For example it would be nice to chroot the flexlm licensserver. Anybody done this before with compardment? The steps are clear, but what's been to do step by step? As from dhcpd I know you have to change something in Servicefile to activate the chroot (with 8.1 it was the case until 8.2 supports it now). With this option the /etc/init.d/<SERVICE-script> copies service xy into a chroot jail (e.g. /var/chroot/SERVICE) and copies dummy devices into it so service xy can access syslog, /etc/SERVICE, linked binaries and libs. What are the options for compardment? The problem with this thread is, there isn't really much been said about it in the man or howto (same was with samba-vscan, but I found some useful links after investigating a littlebit). I cannot find useful links to this thread. Anybody got links or manuals for this? Philippe P.S.: Anybody got a solution for smtp auth/chroot/postfix with SuSE 8.2? I didn't get it to work yet, but would like to use my smtp-server with smtp auth (I wanna use my servers spam/virus/filteroptions instead of that lame ones many providers do have). I have setup relay allowed for my network only, want to send mail via modem with this (from here it's no problem, because i'm within my network's ip-range).
* Philippe Vogel; <filiaap@freenet.de> on 13 Dec, 2003 wrote:
This short description sounds nice, but I can't see how to do it. Is there a longer version available?
Wish it were somehere that I knew; then all I would do was to follow the steps.
For example it would be nice to chroot the flexlm licensserver. Anybody done this before with compardment?
The steps are clear, but what's been to do step by step?
When I have a better picture I will put everything online and will announce the link. However my first intention is to get things running. So I raised the question earlier and accepted the fact that I was getting lazier :-)
As from dhcpd I know you have to change something in Servicefile to activate the chroot (with 8.1 it was the case until 8.2 supports it now). With this option the /etc/init.d/<SERVICE-script> copies service xy into a chroot jail (e.g. /var/chroot/SERVICE) and copies dummy devices into it so service xy can access syslog, /etc/SERVICE, linked binaries and libs.
What are the options for compardment?
There are plenty and I have headache after reading them :-) I will start asking the question about the capabilities later
The problem with this thread is, there isn't really much been said about it in the man or howto (same was with samba-vscan, but I found some useful links after investigating a littlebit). I cannot find useful links to this thread.
Anybody got links or manuals for this?
Should have one manual up soon but I will protect it with .htaccess and allow access to those helping me :-) Mfg. von Stuttgart -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
* Togan Muftuoglu; <toganm@users.sourceforge.net> on 12 Dec, 2003 wrote:
* Volker Kuhlmann; <hidden@paradise.net.nz> on 12 Dec, 2003 wrote:
here are the apps I am planning to run
apache with mod-php mod_perl and mod_ssl squirrelmail wu-imap snmpd squid
sshd would be cool too...
OK I'll add it to my wish list along with cups. Now here is the approach I am planning to take
3)Modify the /etc/init.d/SERVICE file to include the chroot setup so I do not have to worry about if I need to prepare the chroot environment or not
http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env... case "$1" in start) echo -n "Starting web server: $NAME" mount -t proc proc /var/chroot/apache/proc The Debian howto has the part which is mounting the proc file system in the chroot directory of apache. However I have not find another document that suggests such a mount. The questions I have are: 1)What do I achieve my mounting "proc" under the chrooted directory ? 2)For what other types of programs mounting the proc under the chrooted directory is recommended ? Thanks -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
participants (3)
-
Philippe Vogel -
Togan Muftuoglu -
Volker Kuhlmann