Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: Making use of Ch-Root's as an extra step to increase security?
Hello,
I'm stuck in a rut and have come here to hopefully get a more definitive answer to the question. I've viewed plenty of different websites and some are telling you yeah ch-rooting for security and can't go wrong, and others tell you ch-rooting for security useless and should only be used for its initial purpose of debugging doggy software.
What i want to know is, is it good to use as an extra security measure?? i've been spending some of my time looking into its usefulness as a security feature and to me it looks pretty cool. Any service i run inside the jail which is so far everything i've been testing, doesn't run as root and there isn't a root user available or similar privilege inside the /etc/password of the jailed area, so root privileges cannot be achieved as far as I'm aware especially if only the root user is able to exit the jail then surely this is damn good?? yeah might be able to compromise everything in the jail but who cares easy to backup and easy to replace if all goes bad?? So i can't see the big hoo har that seems to be around for using ch-root's as extra security and i'm looking for some clarity.
Thanks for any answers and i look forward to the discussion?!?!
I also added a pole to try and see if enough people look what the feeling of most people are about this subject?
It also might help keep points clear if you didn't use the terms chroot and jail interchangeably. (There are true jails which are very different than chroot - e.g FreeBSD Jail.)
Well, it is often referred to that way. I don't want to split hairs, I just wanted to point out that consistently referring to it as just chroot (or chrooted environment) may help keep things clear.
My opinion is that the amount of effort required to set up a chrooted service (and, per that discussion, the negligible ROI) is not worth the perceived 'security' benefit.
MAC can confine daemons properly (this is also not easy to set up, but it's a better security concept) if this is what you want. Alternatively, in GNU/Linux land you may like to check out Linux VServer. It's going to depend on your circumstances and what you're looking to achieve. Example: I'm going to need to set up a sftp server for some outside users in the near future. I am planning to run sshd in a FreeBSD Jail and then give the users scponly shells. Directory permissions will be such that they can only read/write within their home directories (but they won't actually be kept out of other areas of the jail). Not perfect, but a pretty good solution for my circumstances.
Its interesting you say that, for my test enviroment i've chrooted Apache, php, ssh, vsftp, ssl and probably some other things and that was pretty simple. With this vsftp can run with ssl for your data and password encryption, of which also it includes useful chroot itself to contain the user to where ever you want, in out case we stopping our web developers from being able to move arround the box, we have their usernames inside the chroot, and they can connect encrypted vsftp all inside a chroot, so vsftp is already chrooted off and then checnged the passwd file of the chrooted environment so that there home directory was instead pointing to the web root directory, and the vsftp would chroot them there to. To me and how it seems to be in the test environment looks good and secure, there is no root or similar priv user inside the jail and thats all done on a simple suse box. It does appear however i must admit that nowa day's everything and everyone is on about virtual server or SELinux. If its so iherently impossible to break a chroot jail if your not the root user then running services chrooted must be great, the service can may become comprimised but if the chroot can truly not be circumvented without root then the box is pretty safe thats the way its perseved with all these doc's????
Actually, this security features in order to aovid the hacker to compromise your whole system rather than lock the hacker only to the directory. You can purely rely on this secuirty features. I rather will trust openbsd firewall pf. This firewall is most secure firewall in the world which can compete with commercial firewall like cisco. Morevoer, this firewall is opensource and syntax is much more easier than iptables. I strongly recommended you using openbsd as gateway to portect your internal network.Openbsd many not good for desktop but it is a best in security features especially encryption and ipsec. You only need 4 minutes to set up the ipsec between two pc.
I hope this help.
i'm more interested in the chroot side of things and my initail question rather than firewalling, but thanks. Are there other people that can shead more light on chroot and perhaps other methods that ae similar, has anyone used or know much about apache's mod for its own chroot??
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.