Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have Apache with SSL and PHP support running in a chrooted environment on my web box. I am also running Squirrelmail from within the chroot jail. I am not, however, running courier-imap, fetchmail, or procmail in any jailed environment. Does running a mix of programs (in and out of the jail) that coordinate together compromise the security measure of a chrooted jail? Should I try to get courier-imap, fetchmail, and procmail all to run within that same jail?
Also, I've heard that a chroot should be an entirely seperate partition altogether. Is this true?
I have Apache with SSL and PHP support running in a chrooted environment on my web box. I am also running Squirrelmail from within the chroot jail.
Well did you TEST all functionality? Like can you still use PHP's mail function? Do MySQL connects work? Are you also using perl? Which Apache and PHP version are you using? What software did you install in the chroot for forwarding mail?
Quote:
I am not, however, running courier-imap, fetchmail, or procmail in any jailed environment. Does running a mix of programs (in and out of the jail) that coordinate together compromise the security measure of a chrooted jail? Should I try to get courier-imap, fetchmail, and procmail all to run within that same jail?
Well you can think of a jail as a directory subtree. The more you install in this subtree the more you loose security. Remember the benefits of a chroot: minimum access to software, etc. If however you have a LOT of software within the chroot you loose system security.
Applications can cooperate fine if they are partly in chrooted environments. If you have set up those chroots correctly then it will be no problem at all ... you shouldn't notice anything at least :-)
Running fetchmail chrooted? Well that makes no sense to me honestly, except you poll all the time (which would make fetchmail a daemon in that way). Regarding chrooting courier-imap you have to think of the mail directory for that user and the authentification ...
Quote:
Also, I've heard that a chroot should be an entirely seperate partition altogether. Is this true?
It's good practice ...
Last edited by markus1982; 05-24-2003 at 08:55 AM.
Originally posted by markus1982 Well did you TEST all functionality? Like can you still use PHP's mail function? Do MySQL connects work? Are you also using perl? Which Apache and PHP version are you using? What software did you install in the chroot for forwarding mail?
I can use Squirrelmail flawlessly. I compliled PHP without MySQL support. It was not needed for just using Squirrelmail I don't use anything for forwarding mail in the chroot. I have created home directories under the chroot to store mail in. Btw, how can I tell that everything is running truelly within the chroot?
Quote:
Well you can think of a jail as a directory subtree. The more you install in this subtree the more you loose security. Remember the benefits of a chroot: minimum access to software, etc. If however you have a LOT of software within the chroot you loose system security.
What output should it have, and what shouldn't it? Should the absolute path show, or the chrooted path? IE, if apache is chrooted in /var/apache, then should the processes show '/var/apache/bin/httpd' or '/bin/httpd' ?
EDIT:
# ls -l /proc/1296
total 0
-r--r--r-- 1 root root 0 May 29 16:32 cmdline
lrwxrwxrwx 1 root root 0 May 29 16:32 cwd -> /var/export/chroots/www4
-r-------- 1 root root 0 May 29 16:32 environ
lrwxrwxrwx 1 root root 0 May 29 16:32 exe -> /var/export/chroots/www4/apache/bin/httpd
dr-x------ 2 root root 0 May 29 16:32 fd
-r--r--r-- 1 root root 0 May 29 16:32 maps
-rw------- 1 root root 0 May 29 16:32 mem
-r--r--r-- 1 root root 0 May 29 16:32 mounts
lrwxrwxrwx 1 root root 0 May 29 16:32 root -> /var/export/chroots/www4
-r--r--r-- 1 root root 0 May 29 16:32 stat
-r--r--r-- 1 root root 0 May 29 16:32 statm
-r--r--r-- 1 root root 0 May 29 16:32 status
So far all the apache processes show this. Does it appear to be chrooted fully?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.