Christopher, Thanks for the heads up, I will definitely test out my chroot environment for security. Is it possible to create a "safe" chroot if it has mono installed in it? (inlcuding the compiler)
I have a quick question about mounting my /proc filesystem into my jail environment. I have a common jail environment at /home/jail, this gets mounted into each persons home directory at /home/username/.jail, using mount --bind. I then symlink each of the required folders usr,lib,proc,var and such into the root of the users directory so I only need to mount one single folder into their home directory. I'm seeing a few weird things though (running redhat el4). When I mount my proc filesystem into /home/jail/proc I can do a "ls -la /home/jail/proc" and see all the files, however it doesn't show up in a "df|grep proc". Also when I mount my /home/jail onto a /home/username/.jail, I get nothing in a "ls -la /home/username/.jail/proc". Do you know any reasoning for this? Is this because I have to explicitly mount the proc filesystme into the users homedirectory as the "proc" type? If so any ways around this? This is causing my execution of a chrooted mod-mono-server to fail due to inability to get the number of processors on the machine, same as described in past emails. Any ideas/comments would be much appreciated. Thanks, Jesse -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Bergström Sent: Tuesday, November 29, 2005 3:21 AM Cc: [email protected] Subject: [Mono-list] Re: Running mod-mono-server in a chroot jail Robert Jordan wrote: > Jesse, > >> You are correct, I do not have the real proc filesystem mounted into >> the jail. I was thinking I could go ahead and mount this using >> something >> like: >> >> mount --bind /proc -o ro,nosuid /home/jail/proc > > > mount -n -t proc proc /home/jail/proc > >> Does this open up and security issues etc? I'm not very familiar >> with the proc filesystem. > > > There were some security issues (chroot escapes) with chroot and > procfs, but I cannot remember which linux kernel version was affected > (2.2 or 2.4?). > Since security is being brought up here... Find paxtest.. Test your system and then check to see if you have make tools installed.. It takes about 2 minutes to pivot and or simply escape out of a chroot jail if you know a few key things.. chroot isn't a panacea.. Also.. For those that plan to run a reverse proxy to allow multiple xsp.. (Take a look at how many vulnerabilities squid has had over the last year.) I'm by no means an expert, but these are my basic thoughts.. C. _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
