Robert Jordan wrote:
Jesse,
You are correct, I do not have the real proc filesystem mounted into the
jail. I was thinking I could go ahead and mount this using something
like:
mount --bind /proc -o ro,nosuid /home/jail/proc
mount -n -t proc proc /home/jail/proc
Does this open up and security issues etc? I'm not very familiar
with the
proc filesystem.
There were some security issues (chroot escapes) with chroot
and procfs, but I cannot remember which linux kernel version
was affected (2.2 or 2.4?).
Since security is being brought up here... Find paxtest.. Test your
system and then check to see if you have make tools installed.. It takes
about 2 minutes to pivot and or simply escape out of a chroot jail if
you know a few key things.. chroot isn't a panacea..
Also.. For those that plan to run a reverse proxy to allow multiple
xsp.. (Take a look at how many vulnerabilities squid has had over the
last year.)
I'm by no means an expert, but these are my basic thoughts..
C.
_______________________________________________
Mono-list maillist - [email protected]
http://lists.ximian.com/mailman/listinfo/mono-list
