I think I understand better. Now .. but is there still a security benefit from having the different services in their own jails ? (even if the jail cells come with their own metaphorical swimming pool and armoury )
or is it that the jails don’t offer enough compared with the additional workload of managing multiple copies of libraries/binaries in the system... ? On Thu, 9 Mar 2023 at 12:29, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2023/03/08 10:10, Glen Gunsalus wrote: > > > > On 3/7/23 15:33, Stuart Henderson wrote: > > > On 2023-03-07, Glen Gunsalus <g-gunsa...@mindspring.com> wrote: > > > > To get this running cp'd perl (/usr/bin/perl) and relevant perl libs > > > > (/usr/lib/[libs.so|libm.so|libperl.so] /usr/libexec/ld.so) to > > > > /var/www/usr/[bin|lib|libexec] > > > > > > You shouldn't need that bit (and it is safer not to) - smokeping_fcgi > > > does not chroot. > > > > > > > > Hmm, I did this on the basis of a post by you (5/11/20) in response to Tom > > (5/10/20) which I interpreted as needing several files moved into www > > "jail." > > No that was me saying "this software is not really meant to work with > chroot and if you're copying enough into the chroot that it works, > you're providing a lot of extra tools to someone who is able to execute > code within the jail" > > > ----------------quote-------------------------- > > bgplg is designed to run in a jail, it is a small C program and even > > then it needs specially compiled versions of the external dependencies > > (ping, bgpctl etc). > > > > Smokeping isn't - if you want to run the graph generating part of > > smokeping (i.e. the cgi/fcgi script) inside a chroot jail, a whole lot > > more is needed - a copy of perl and various modules, rrdtool, > > rrdtool's library dependencies, fonts, and I think there were config > > files for some of the libraries. I did this in the past but it's a > > real mess and easy to break at update time, and the amount of things > > copied in means that the chroot ends up more as "luxury camping" than > > "jail" 😉 > > ----------------end quote------------------- > > > > I had been running smokeping and mrtg with apache for a number of years, > > but when OpenBSD abandoned apache I looked at nginx for transition then > > httpd came along and looked both more attractive and likely to be more long > > lived under OpenBSD. > > > > It was Tom's post that got me started down the httpd path. I have been > > running with httpd since that time. > > I can't remember the details, but think I initially tried w/o the cp'd > > files, but was not successful so began incrementally moving goodies into > > /var/www until it worked. > > I will try rm'ing or mv'ing those in /var/www and see how it goes. > > > > Thanks for your help. > > > > Regards, Glen > -- Kindest regards, Tom Smyth.
