[Mono-list] Re: Running mod-mono-server in a chroot jail

Christopher Bergström cbergstrom at netsyncro.com
Thu Dec 1 19:16:01 EST 2005


Jesse Pasichnyk wrote:

>Christopher,
>
>Thanks for the heads up, I will definitely test out my chroot environment
>for security.
>Is it possible to create a "safe" chroot if it has mono installed in it?
>(inlcuding the compiler)
>
>
>I have a quick question about mounting my /proc filesystem into my jail
>environment.  I have a common jail environment at /home/jail, this gets
>mounted into each persons home directory at /home/username/.jail, using
>mount --bind.  I then symlink each of the required folders usr,lib,proc,var
>and such into the root of the users directory so I only need to mount one
>single folder into their home directory.
>
>I'm seeing a few weird things though (running redhat el4).  When I mount my
>proc filesystem into /home/jail/proc I can do a "ls -la /home/jail/proc" and
>see all the files, however it doesn't show up in a "df|grep proc".
>
Did you copy over mtab as well?  That usually shows what is currently 
mounted.  Also there are ways to control what is displayed from df.  
Further, there are other security risks involved with users sharing the 
same chroot path.  (It does seem that you are trying to put each user in 
a unique jail, but...?)

Anyhow, I'm wondering what put you down this chroot path?  What exactly 
is your goal besides simply chrooting mono?  If you're truly concerned 
with security I'd recommend starting with one of the hardened 
distributions.. (Which one is up to you.) These should provide a little 
better out of box security and allow you to get your end result.

Good luck,

C.


More information about the Mono-list mailing list