RSBAC Grsec Selinux ProPolice and Pax
cendres at videotron.ca
Sun Jan 18 08:26:41 PST 2004
On January 18, 2004 09:19 am, Archaic wrote:
> > If you have several daemons in the same chroot you can't control letting
> > 2 daemons/users share a file without letting the others.
> Why should someone have more than one daemon in a chroot? That rather
> defeats the purpose of allowing the daemon to see only what it needs.
-r-x----x root root /chroot/
-r-x----x root root /chroot/etc
-r-x----x root root /chroot/dev
-r--r--r-- root root /chroot/etc/passwd
-r--r--r-- root root /chroot/etc/group
-r--r----- root ntpd /chroot/etc/ntp.conf
-r-xr-x--- root named /chroot/etc/namedb
-r-xr-x--- root 1000 /chroot/empty
crw-r----- root daemon2 /chroot/dev/urandom
srw-rw-rw- root root /chroot/dev/log
-r-xr-x-- root ftp /chroot/pub
$ cat /chroot/etc/group
None of the users can ls in /chroot/etc because its not readable by other,
unless they specify a filename. I think this would be easier to manage than
having several chroot's. Also there would be fewer devices scattered on the
system. The downside is they would see the other accounts in passwd/group,
but I don't see how that would matter.
Gids in chroot have to be unique.
/chroot/empty needs to be readable by any user who will ssh inbound (group
users gid 1000, or whatever), but it doesn't need to exist in /chroot/etc/
Just a thought.
More information about the hlfs-dev