** On May 24, Stephen Frost scribbled: > > and create structure of their own hardlinking the libraries and /etc files > > from the /var/chroot/ tree (for that to work all of the packages must be on > > one filesystem). They would run chrooted into their /var/chroot/package/ > > directory. All packages would require the chroot package (e.g. chroot-base). > > Comments? > > This seems very similar to the way I had started setting things up on > my system. I actually made a seperate filesystem (/chroot) and stuck bind under > it (/chroot/bind). I'm trying to think of problems, and I think we'll want to > be careful with the hardlinking. The idea of having something in a chroot jail > is that if someone breaks into it, they can't affect anything else. If a > library is shared between two packages and it can be modified by someone in one > of the chroot'ed environments, that could affect the other chroot'ed environments. Yes, there's a theorethical danger of that kind, but I think it's not that grave as it might seem. The libraries can be protected by immutable bit, for example, they will definitely be owned by root and the daemons will never run as root (mostly). It can be made an option to choose whether the libraries should be hardlinked or copied over to the new chroot jail. The decision belongs to the package itself. > The way I compiled bind, IIRC, was to statically compile it so as to not > have it depend on any libraries. Now, this does take it up from 452k to 1.8M, > so I can see the desire to avoid that. This would also require totally seperate yes, it's a huge memory hog, besides it separates the daemon from the rest of the distribution <plugin> all the dynalink advantages talk here</plugin> and isn't quite that necessary. > packages for everything offered chroot'ed, but then, if something chroot'ed can > affect something else chroot'ed, there doesn't seem alot of point to having it > chroot'ed to begin with. I agree. Therefore such option as I wrote above should exist, no doubt about that. But the chroot is only one level of separation, the permissions are another - it is possible to create a secure installation with shared libraries as well, IMHO... > For the /etc strucuture, I take it we'll only be hardlinking the files > which are used by a package into that package's /var/chroot/bind/etc dir? For > the reason I mentioned above I think we want to avoid hardlinking the actual > directory. Not always. Some packages might need /etc/passwd, /etc/nsswitch, /etc/resolv.conf, /etc/hosts, /etc/hostname and /etc/whatnot - the chroot-base package should encompass needs of all potential chroot clients - it's easier to maintain it that way. marek
Attachment:
pgpArHlLHvD8n.pgp
Description: PGP signature