LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-04-2006, 04:36 AM   #1
Yalla-One
Member
 
Registered: Oct 2004
Location: Norway
Distribution: Slackware, CentOS
Posts: 635

Rep: Reputation: 35
Using compartment


Hi,

I found a program called compartment (http://www.suse.de/~marc/compartment.html) that supposedly allows me to run a potentially dangerous application in a secure and limited environment.

However, this application has not been maintaind for a long time, with the exception of (http://www.chronox.de/chroot/compartment-1.2.tar.bz2) which is also quite old.

Does anyone have any experience with these programmes? Are they so old because they work fine and didn't need updates, or have they been replaced by newer, more efficient and secure solutions?

I am planning to use this as an added precaution for anything from ftp server to bittorrent.

Any insight greatly appreciated!

-Y1
 
Old 06-04-2006, 04:46 AM   #2
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 1,748

Rep: Reputation: 159Reputation: 159
Look into 'chroot'
 
Old 06-04-2006, 04:59 AM   #3
Yalla-One
Member
 
Registered: Oct 2004
Location: Norway
Distribution: Slackware, CentOS
Posts: 635

Original Poster
Rep: Reputation: 35
I have, but not being an expert on this, and from reading compartment's description, it seems to go much further than "just" chroot ?

From what I can see, chroot only changes the root, while compartment also makes limitations on user, group and also do limitations..

Or am I completely mistaken in my assumtions?

I'd greatly appreciate if you could elaborate or show me some pointers to further reading on the subject.

-Y1
 
Old 06-04-2006, 05:21 AM   #4
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 1,748

Rep: Reputation: 159Reputation: 159
Quote:
Originally Posted by Yalla-One
I have, but not being an expert on this, and from reading compartment's description, it seems to go much further than "just" chroot ?
You are right. Sorry.

I don't know why it is no longer maintained, but that often happens to the best software packages. If compartment does what you need it to do, use it. Don't worry about how old the thing is.
 
Old 06-04-2006, 06:08 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Are they so old because they work fine and didn't need updates, or have they been replaced by newer, more efficient and secure solutions?
Yes, notably the GRSecurity kernel patch, SELinux (not interchangeable) and (various forms of) virtualization. GRSecurity reinforces chroot, allows finegrained control over resources (RBAC) and extends logging capabilities. SELinux provides a form of RBAC as well. Virtualization doesn't provide security enhancements (in the sense GRSecurity and SELinux do) but mitigates damage by separating the guest O.S. from the host O.S..


I am planning to use this as an added precaution for anything from ftp server to bittorrent.
I think it would be best to first start with host hardening (check out the LQ FAQ: Security references) including extended logging, adding an IDS, auditing and integrity check sw (should be done right after O.S. install) and a backup scenario. Proper host hardening means less ways open holes for corruption. "Better" logging (and parsing and reading), using an IDS (Snort, Prelude), auditing sw (Tiger, Chkrootkit, Rootkit Hunter, number9's NSAT, etc, etc) and integrity check (Aide, Samhain) means you have more layers of inspection and better chances of getting warned and *knowing* what to look for. *After* that decide what features you need in an FTPd (I prefer Muddleftpd as it's security record is better than even Proftpd). If you are going to run a Bittorrent tracker then you will have to invest time hardening your database, webserver and (especially) firewall setup. If you are going to run a Bittorrent client then you can get away with investing considerably less time. The swarm doesn't interact with your client other than shoving packets your way AFAIK.



run a potentially dangerous application in a secure and limited environment.
A bit OT maybe but as you've seen there are different solutions for different tasks. Like for instance I wouldn't want to run unknown hostile code I found in a chroot: I'll use Qemu for that. One final note is that while proper hardening goes a long way and stuff described above can help, nothing compares to relocating (DMZ) "vulnerable" services you need to provide to a separate box (also see: eggs, basket).

HTH
 
Old 06-04-2006, 03:30 PM   #6
Yalla-One
Member
 
Registered: Oct 2004
Location: Norway
Distribution: Slackware, CentOS
Posts: 635

Original Poster
Rep: Reputation: 35
Thanks for very thorough reply - lots of information to digest.

My torrents are only client, not a server, so as you say the risk is probably not too big..

I believe the solution for me is to keep compartment until I've got a stable qemu solution up and running, which as you say is totally separated and thus totally safe.

Thanks again for excellent input - much appreciated!

-Y1
 
Old 06-04-2006, 05:03 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Me writing about "unknown hostile code I found" refers to exploits and stuff like that. While there isn't something like "too much security" Qemu seems a bit too much for just running Bittorrent IMHO.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT -5. The time now is 08:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration