****SPAM(3)**** RE: [Mono-list] Re: Running mod-mono-server in a chroot jail

Jesse Pasichnyk jesse at pasichnyk.net
Thu Dec 1 18:21:50 EST 2005


Thanks for the heads up, I will definitely test out my chroot environment
for security.
Is it possible to create a "safe" chroot if it has mono installed in it?
(inlcuding the compiler)

I have a quick question about mounting my /proc filesystem into my jail
environment.  I have a common jail environment at /home/jail, this gets
mounted into each persons home directory at /home/username/.jail, using
mount --bind.  I then symlink each of the required folders usr,lib,proc,var
and such into the root of the users directory so I only need to mount one
single folder into their home directory.

I'm seeing a few weird things though (running redhat el4).  When I mount my
proc filesystem into /home/jail/proc I can do a "ls -la /home/jail/proc" and
see all the files, however it doesn't show up in a "df|grep proc".  Also
when I mount my /home/jail onto a /home/username/.jail, I get nothing in a
"ls -la /home/username/.jail/proc".  Do you know any reasoning for this?  Is
this because I have to explicitly mount the proc filesystme into the users
homedirectory as the "proc" type?  If so any ways around this?

This is causing my execution of a chrooted mod-mono-server to fail due to
inability to get the number of processors on the machine, same as described
in past emails. 

Any ideas/comments would be much appreciated.



-----Original Message-----
From: mono-list-bounces at lists.ximian.com
[mailto:mono-list-bounces at lists.ximian.com] On Behalf Of Christopher
Sent: Tuesday, November 29, 2005 3:21 AM
Cc: Mono-list at lists.ximian.com
Subject: [Mono-list] Re: Running mod-mono-server in a chroot jail

Robert Jordan wrote:

> Jesse,
>> You are correct, I do not have the real proc filesystem mounted into 
>> the jail.  I was thinking I could go ahead and mount this using 
>> something
>> like:
>> mount --bind /proc -o ro,nosuid /home/jail/proc
> mount -n -t proc proc /home/jail/proc
>> Does this open up and security issues etc?  I'm not very familiar 
>> with the proc filesystem.
> There were some security issues (chroot escapes) with chroot and 
> procfs, but I cannot remember which linux kernel version was affected 
> (2.2 or 2.4?).
Since security is being brought up here...  Find paxtest.. Test your system
and then check to see if you have make tools installed.. It takes about 2
minutes to pivot and or simply escape out of a chroot jail if you know a few
key things.. chroot isn't a panacea..

Also.. For those that plan to run a reverse proxy to allow multiple xsp..
(Take a look at how many vulnerabilities squid has had over the last year.)

I'm by no means an expert, but these are my basic thoughts..

Mono-list maillist  -  Mono-list at lists.ximian.com

More information about the Mono-list mailing list