Re: [vserver] Changeroot with vserver instance

From: Daniël W. Crompton <daniel.crompton_at_gmail.com>
Date: Wed 08 May 2013 - 13:01:09 BST
Message-ID: <CALKmEuB_KT6J0dze5ZvH0ugbpFrYGLmD2VEkO+=x5ZMcOOTf+A@mail.gmail.com>

Hi,

don't know if it's relevant, but I hadn't seen a reaction. You can setup a
secure barrier for the vserver:

   - http://linux-vserver.org/Secure_chroot_Barrier#Solution:_Secure_Barrier

I think you can also use makedev and create the std(in|out|err) in the
chroot directory structure.

D.

On 2 May 2013 17:16, vsproove <vserver-l@hichac.de> wrote:

> Hi folks,
>
> I'm currentliy trying to set up a chroot within a vserver instance.
> What would be a /secure/ way to populate the chroot's /dev directory?
>
> Background: This is a multi-user Webserver running PHP scripts via
> php-fpm. php-fpm can (and should) be used chrootet. The chroot itself
> works fine. My management tools (i.e. setting up new webspace/chroots
> for users) are running inside the vserver instance, not on "bare metal".
> A proper /dev is required because php sends mail via exec sendmail
> requiring a working shell.
>
> Bertl on irc was very helpfull and pointed out that setting
> bcapabilities:MKNOD might be a security hole and suggested using
> bind-mount for /dev instead.
>
> I set ccapabilities:VXC_SECURE_MOUNT to allow "mount -o bind /dev
> /path/to/chroot/dev" but I end up with the devices not beeing readable
> (ie. read from /dev/urandom) Maybe because I cannot find a way to mount
> without nodev option. Although; I'm not sure if sharing the /dev/stin
> /dev7stdout over all chroots is a good thing security-wise.
>
> I'm not exactly focused on the bind-mount option, any sol
>
> Any hints?
>
> TIA,
> Sproove
>

-- 
blaze your trail
-- 
Daniël W. Crompton <daniel.crompton@gmail.com>
<http://specialbrands.net/>
<http://specialbrands.net/>
http://specialbrands.net/
       <http://twitter.com/webhat>
<http://www.facebook.com/webhat><http://plancast.com/webhat><http://www.linkedin.com/in/redhat>
Received on Wed May 8 13:01:38 2013
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 08 May 2013 - 13:01:38 BST by hypermail 2.1.8