chrooting daemons

To: debian-policy@lists.debian.org
Subject: chrooting daemons
From: Topi Miettinen <tom@ml.tele.fi>
Date: Wed, 15 Oct 1997 23:30:47 +0300
Message-id: <199710152030.XAA02336@blues.ml.tele.fi>

One way to limit damage caused by a daemon with an exploited security
hole is to run it in "jail", chrooted environment. An example is DNS:
http://www.homeport.org/~adam/dns.html

The same mechanism could be used with several other daemons which
do not need to access files outside their running directory (xntpd).
Some daemons need access in some configurations and not in others,
for example apache can be run this way, if you don't need user
home directories.

There are disadvantages: duplicated libraries take disk and memory
space as they are not shared, limitations like above etc. but
I still think this could be an option for some security-conscious
sites.

Some generic support could be included in /sbin/start-stop-daemon
(--run-chrooted-in?), but I guess some policy discussions would
be in order.

-Topi

Reply to:

Prev by Date: Re: Mailing list crossposting
Next by Date: Re: chrooting daemons
Previous by thread: Re: Mailing list crossposting
Next by thread: Re: chrooting daemons
Index(es):
- Date
- Thread