From: klavs klavsen (kl_at_vsen.dk)
Date: Fri 15 Feb 2002 - 08:28:53 GMT
Hi Vlad,
On Thu, 2002-02-14 at 16:06, Vlad wrote:
> I think thats the basis for chroot - it binds the new context to an ip
> address... otherwise you might as well just set up a generic chroot for
> each service..
damn. you sure? I'm not so sure. bastille-linux chroots your bind
service for instance, and it doesn't change the config or the IP it runs
on. and Shouldn't you be able to bind a specific chroot jail to a
specific port/IP instead of a specific Unique IP? (the last is just
plain dumb if you have many services).
> What you can try and do is create your vservers in private address space
> (192.168, 10.0.) and then do port forwards from the 1 real ip address..
that's a work around.. but I would be very sorry to have to do that, as
it adds complexity to my firewall script.. If it doesn't need to be
there.. Remove it :-)
> On 14 Feb 2002, klavs klavsen wrote:
>
> > Hi guys,
> >
> > I need to install and maintain 6 kind of servers.
> >
> > 1, with samba and openldap, 1 with Postfix, courier-imap, OpenLdap and
> > Apache and so forth.
> >
> > what i wanted to do, is to have them all installed on 1 physical
> > machine, under each vserver.
> >
> > I was thinking, that it would be a good idea to chroot each service on
> > each server, so that a vulnerability in one, doesn't put the other
> > services on that machine in danger. Unfortunately chroot is not safe
> > (see earlier mail on this list).
> >
> > I've read the docs on the site, but it's not really clear to me if can
> > do this, and how this compares to doing the same with chroot (except for
> > the fact that chroot is not safe and vserver is :-)
> >
> > My questions therefore are these:
> >
> > Can I "chroot" each service on each vserver - without having to create a
> > new vserver (with a new IP) for each service?
> >
> > In the case of postfix and courier-imap can two "chroot" jails share the
> > same files (the maildir)?
> >
> > A final question, if I install ssh on each vserver - and the services
> > are chrooted - will the ssh-users still be able to configure them? -
> > they would with a normal chroot, so that shouldn't be a problem?
> >
> >
>
-- Regards, Klavs Klavsen-------------| This mail has been sent to you by: |------------ Klavs Klavsen - OpenSource Consultant kl_at_vsen.dk - http://www.vsen.dk
Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA Fingerprint = A95E B57B 3CE0 9131 9D15 94DA E1CD 641E 586D 5BCA --------------------[ I believe that... ]----------------------- It is a myth that people resist change. People resist what other people make them do, not what they themselves choose to do... That's why companies that innovate successfully year after year seek their peopl's ideas, let them initiate new projects and encourage more experiments. -- Rosabeth Moss Kanter