[Mono-list] Re: Running mod-mono-server in a chroot jail

Christopher Bergström cbergstrom at netsyncro.com
Tue Nov 29 06:21:18 EST 2005


Robert Jordan wrote:

> Jesse,
>
>> You are correct, I do not have the real proc filesystem mounted into the
>> jail.  I was thinking I could go ahead and mount this using something 
>> like:
>>
>> mount --bind /proc -o ro,nosuid /home/jail/proc
>
>
> mount -n -t proc proc /home/jail/proc
>
>> Does this open up and security issues etc?  I'm not very familiar 
>> with the
>> proc filesystem.
>
>
> There were some security issues (chroot escapes) with chroot
> and procfs, but I cannot remember which linux kernel version
> was affected (2.2 or 2.4?).
>
Since security is being brought up here...  Find paxtest.. Test your 
system and then check to see if you have make tools installed.. It takes 
about 2 minutes to pivot and or simply escape out of a chroot jail if 
you know a few key things.. chroot isn't a panacea..

Also.. For those that plan to run a reverse proxy to allow multiple 
xsp.. (Take a look at how many vulnerabilities squid has had over the 
last year.)

I'm by no means an expert, but these are my basic thoughts..

C.


More information about the Mono-list mailing list