RSBAC Grsec Selinux ProPolice and Pax

Robert Connolly cendres at videotron.ca
Sun Jan 18 08:26:41 PST 2004


On January 18, 2004 09:19 am, Archaic wrote:
...
> > If you have several daemons in the same chroot you can't control letting
> > 2 daemons/users share a file without letting the others.
>
> Why should someone have more than one daemon in a chroot? That rather
> defeats the purpose of allowing the daemon to see only what it needs.

Why not?

-r-x----x    root     root            /chroot/
-r-x----x    root     root            /chroot/etc
-r-x----x    root     root            /chroot/dev
-r--r--r--    root     root            /chroot/etc/passwd
-r--r--r--    root     root            /chroot/etc/group
-r--r-----    root     ntpd           /chroot/etc/ntp.conf
-r-xr-x---   root     named       /chroot/etc/namedb
-r-xr-x---   root     1000          /chroot/empty
crw-r-----  root     daemon2   /chroot/dev/urandom
srw-rw-rw- root    root           /chroot/dev/log
-r-xr-x--    root      ftp             /chroot/pub

$ cat /chroot/etc/group
root::0:
daemon2::1211:named,ntpd
ntpd::1212:ntpd
named::1213:named
ftp::1214:ftp

None of the users can ls in /chroot/etc because its not readable by other, 
unless they specify a filename. I think this would be easier to manage than 
having several chroot's. Also there would be fewer devices scattered on the 
system. The downside is they would see the other accounts in passwd/group, 
but I don't see how that would matter.

Gids in chroot have to be unique.

/chroot/empty needs to be readable by any user who will ssh inbound (group 
users gid 1000, or whatever), but it doesn't need to exist in /chroot/etc/
group

Just a thought.




More information about the hlfs-dev mailing list