****SPAM(3)**** RE: [Mono-list] Re: Running mod-mono-server in a
chroot jail
Jesse Pasichnyk
jesse at pasichnyk.net
Thu Dec 1 18:21:50 EST 2005
Christopher,
Thanks for the heads up, I will definitely test out my chroot environment
for security.
Is it possible to create a "safe" chroot if it has mono installed in it?
(inlcuding the compiler)
I have a quick question about mounting my /proc filesystem into my jail
environment. I have a common jail environment at /home/jail, this gets
mounted into each persons home directory at /home/username/.jail, using
mount --bind. I then symlink each of the required folders usr,lib,proc,var
and such into the root of the users directory so I only need to mount one
single folder into their home directory.
I'm seeing a few weird things though (running redhat el4). When I mount my
proc filesystem into /home/jail/proc I can do a "ls -la /home/jail/proc" and
see all the files, however it doesn't show up in a "df|grep proc". Also
when I mount my /home/jail onto a /home/username/.jail, I get nothing in a
"ls -la /home/username/.jail/proc". Do you know any reasoning for this? Is
this because I have to explicitly mount the proc filesystme into the users
homedirectory as the "proc" type? If so any ways around this?
This is causing my execution of a chrooted mod-mono-server to fail due to
inability to get the number of processors on the machine, same as described
in past emails.
Any ideas/comments would be much appreciated.
Thanks,
Jesse
-----Original Message-----
From: mono-list-bounces at lists.ximian.com
[mailto:mono-list-bounces at lists.ximian.com] On Behalf Of Christopher
Bergström
Sent: Tuesday, November 29, 2005 3:21 AM
Cc: Mono-list at lists.ximian.com
Subject: [Mono-list] Re: Running mod-mono-server in a chroot jail
Robert Jordan wrote:
> Jesse,
>
>> You are correct, I do not have the real proc filesystem mounted into
>> the jail. I was thinking I could go ahead and mount this using
>> something
>> like:
>>
>> mount --bind /proc -o ro,nosuid /home/jail/proc
>
>
> mount -n -t proc proc /home/jail/proc
>
>> Does this open up and security issues etc? I'm not very familiar
>> with the proc filesystem.
>
>
> There were some security issues (chroot escapes) with chroot and
> procfs, but I cannot remember which linux kernel version was affected
> (2.2 or 2.4?).
>
Since security is being brought up here... Find paxtest.. Test your system
and then check to see if you have make tools installed.. It takes about 2
minutes to pivot and or simply escape out of a chroot jail if you know a few
key things.. chroot isn't a panacea..
Also.. For those that plan to run a reverse proxy to allow multiple xsp..
(Take a look at how many vulnerabilities squid has had over the last year.)
I'm by no means an expert, but these are my basic thoughts..
C.
_______________________________________________
Mono-list maillist - Mono-list at lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-list
More information about the Mono-list
mailing list