RijilV wrote:
2009/6/10 7v5w7go9ub0o
<7v5w7go9ub0o-re5jqeeqqe8avxtiumw...@public.gmane.org>:
FWIW, I jail/chroot everything that connects to the net; e.g.
browsers, mail client, tor client, DNS server, nmap, snort, dhcpcd
..... everything.
What are you using to do your chrooting?
.r'
A man named Steve Friedl has written much about creating and breaking
out of chroot jails; I use his program "runchroot".
Here's his home page:
<http://unixwiz.net/techtips/chroot-practices.html#brkout>
I believe the script can be found in this "registerware" article: "Go
Directly to Jail. Available on all Linux and Unix systems, chroot jails
can secure untrusted applications and make trusted ones almost
impenetrable. Heres how to build them." <http://www.linux-mag.com/id/1230>
FWIW, I run a desktop, and shortly expect to run an SSH server. Some of
the more important GRSecurity lockdowns break X server, so for a
desktop user, taking the extra step of jailing servers and other
net-connected applications seems to make sense - especially given the
wonderful jail-breaking protections afforded jails by GRSecurity
(obviously, if the Apache server is running on a separate box without X,
the full complement of GRS "hardening" would be used :-) :
[*] Chroot jail restrictions
[*] Deny mounts
[*] Deny double-chroots
[*] Deny pivot_root in chroot
[*] Enforce chdir("/") on all chroots
[*] Deny (f)chmod +s
[*] Deny fchdir out of chroot
[*] Deny mknod
[*] Deny shmat() out of chroot
[*] Deny access to abstract AF_UNIX sockets out of chroot
[*] Protect outside processes
[*] Restrict priority changes
[*] Deny sysctl writes
[*] Capability restrictions
Again, the GRS RBAC program works extremely well, and is a powerful
companion to jails.
HTH
