Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
06-04-2006, 05:36 AM
|
#1
|
Member
Registered: Oct 2004
Location: Norway
Distribution: Slackware, CentOS
Posts: 641
Rep:
|
Using compartment
Hi,
I found a program called compartment ( http://www.suse.de/~marc/compartment.html) that supposedly allows me to run a potentially dangerous application in a secure and limited environment.
However, this application has not been maintaind for a long time, with the exception of ( http://www.chronox.de/chroot/compartment-1.2.tar.bz2) which is also quite old.
Does anyone have any experience with these programmes? Are they so old because they work fine and didn't need updates, or have they been replaced by newer, more efficient and secure solutions?
I am planning to use this as an added precaution for anything from ftp server to bittorrent.
Any insight greatly appreciated!
-Y1
|
|
|
06-04-2006, 05:46 AM
|
#2
|
Senior Member
Registered: Sep 2004
Distribution: slackware
Posts: 4,734
|
Look into 'chroot'
|
|
|
06-04-2006, 05:59 AM
|
#3
|
Member
Registered: Oct 2004
Location: Norway
Distribution: Slackware, CentOS
Posts: 641
Original Poster
Rep:
|
I have, but not being an expert on this, and from reading compartment's description, it seems to go much further than "just" chroot ?
From what I can see, chroot only changes the root, while compartment also makes limitations on user, group and also do limitations..
Or am I completely mistaken in my assumtions?
I'd greatly appreciate if you could elaborate or show me some pointers to further reading on the subject.
-Y1
|
|
|
06-04-2006, 06:21 AM
|
#4
|
Senior Member
Registered: Sep 2004
Distribution: slackware
Posts: 4,734
|
Quote:
Originally Posted by Yalla-One
I have, but not being an expert on this, and from reading compartment's description, it seems to go much further than "just" chroot ?
|
You are right. Sorry.
I don't know why it is no longer maintained, but that often happens to the best software packages.  If compartment does what you need it to do, use it. Don't worry about how old the thing is.
|
|
|
06-04-2006, 07:08 AM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
Are they so old because they work fine and didn't need updates, or have they been replaced by newer, more efficient and secure solutions?
Yes, notably the GRSecurity kernel patch, SELinux (not interchangeable) and (various forms of) virtualization. GRSecurity reinforces chroot, allows finegrained control over resources (RBAC) and extends logging capabilities. SELinux provides a form of RBAC as well. Virtualization doesn't provide security enhancements (in the sense GRSecurity and SELinux do) but mitigates damage by separating the guest O.S. from the host O.S..
I am planning to use this as an added precaution for anything from ftp server to bittorrent.
I think it would be best to first start with host hardening (check out the LQ FAQ: Security references) including extended logging, adding an IDS, auditing and integrity check sw (should be done right after O.S. install) and a backup scenario. Proper host hardening means less ways open holes for corruption. "Better" logging (and parsing and reading), using an IDS (Snort, Prelude), auditing sw (Tiger, Chkrootkit, Rootkit Hunter, number9's NSAT, etc, etc) and integrity check (Aide, Samhain) means you have more layers of inspection and better chances of getting warned and *knowing* what to look for. *After* that decide what features you need in an FTPd (I prefer Muddleftpd as it's security record is better than even Proftpd). If you are going to run a Bittorrent tracker then you will have to invest time hardening your database, webserver and (especially) firewall setup. If you are going to run a Bittorrent client then you can get away with investing considerably less time. The swarm doesn't interact with your client other than shoving packets your way AFAIK.
run a potentially dangerous application in a secure and limited environment.
A bit OT maybe but as you've seen there are different solutions for different tasks. Like for instance I wouldn't want to run unknown hostile code I found in a chroot: I'll use Qemu for that. One final note is that while proper hardening goes a long way and stuff described above can help, nothing compares to relocating (DMZ) "vulnerable" services you need to provide to a separate box (also see: eggs, basket).
HTH
|
|
|
06-04-2006, 04:30 PM
|
#6
|
Member
Registered: Oct 2004
Location: Norway
Distribution: Slackware, CentOS
Posts: 641
Original Poster
Rep:
|
Thanks for very thorough reply - lots of information to digest.
My torrents are only client, not a server, so as you say the risk is probably not too big..
I believe the solution for me is to keep compartment until I've got a stable qemu solution up and running, which as you say is totally separated and thus totally safe.
Thanks again for excellent input - much appreciated!
-Y1
|
|
|
06-04-2006, 06:03 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Me writing about "unknown hostile code I found" refers to exploits and stuff like that. While there isn't something like "too much security" Qemu seems a bit too much for just running Bittorrent IMHO.
|
|
|
All times are GMT -5. The time now is 05:04 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|