chrooting daemons

markus1982 · 11-16-2002, 06:05 AM

I'm thinking of writing a more general how-to on chrooting daemons, what I think of including:

1. What is a chrooted daemon?

explanation (with directory tree comparison)

2. Why do I need that?
3. Explanation for the usage of
chroot
ps
ldd
lsof
strace
4. How do I chroot a daemon[list=a][*]- which daemons can be chrooted in general
- where is chrooting too much time-consulting compared to the benefits (sendmail for instance)[*]how to determine required files/libraries[*]creating the jail, copying required files/libraries, adjust permissions[/list=a]

5. attacking chrooted daemons
6. chrooting at the example of MySQL

Anybody has comments / suggestions on the content or anything else ?

radnix · 11-16-2002, 09:04 AM

Yea, I'd especially be interrested in what you come up with. I'm presently tackling daemon chrooting now, just started.

I'll try to add to your posts if I can, but my first attempts aren't working.

My first goal is to chroot SSH........

ANYWAY, any references, examples or links you might suggest will be appreciated !

unSpawn · 11-21-2002, 11:04 AM

IMNSHO there's only three good docs on chrooting on the 'net. So of course it would be great if you can find the time to make it. As usual when I've got something usefull I'll try to add it.
Seems a good place to promote GRSecurity chroot features, busybox usage and rootjail a bit.

As for chrooting Ssh users, there's a patch floating around somewhere for OpenSSH 3.x.