Hi folks,
I'm currentliy trying to set up a chroot within a vserver instance.
What would be a /secure/ way to populate the chroot's /dev directory?
Background: This is a multi-user Webserver running PHP scripts via
php-fpm. php-fpm can (and should) be used chrootet. The chroot itself
works fine. My management tools (i.e. setting up new webspace/chroots
for users) are running inside the vserver instance, not on "bare metal".
A proper /dev is required because php sends mail via exec sendmail
requiring a working shell.
Bertl on irc was very helpfull and pointed out that setting
bcapabilities:MKNOD might be a security hole and suggested using
bind-mount for /dev instead.
I set ccapabilities:VXC_SECURE_MOUNT to allow "mount -o bind /dev
/path/to/chroot/dev" but I end up with the devices not beeing readable
(ie. read from /dev/urandom) Maybe because I cannot find a way to mount
without nodev option. Although; I'm not sure if sharing the /dev/stin
/dev7stdout over all chroots is a good thing security-wise.
I'm not exactly focused on the bind-mount option, any sol
Any hints?
TIA,
Sproove
Received on Thu May 2 16:17:53 2013