httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <>
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 00:03:14 GMT
>   I just see so many holes in the chrooted environment that it is hard to
>   distinguish it from the non-chrooted
> But do you really need all that stuff?
> Actually, one useful thing that might come out of this conversation is
> a set of guidelines for setting up a chrooted environment which *doesn't* 
> have "so many holes".  I have to confess I actually haven't got much
> experience setting up secure chrooted environments, but the things that
> occur to me off the top of my head are:
> 1) Very restricted /etc --- cut-down /etc/passwd without the actual
>    password encrypts; *perhaps* cut-down /etc/group and hosts files;
>    anything else?

I've found that Solaris only requires that /etc/passwd be present.
No need to have the shadow files in the chroot()'d area.

> 2) No suid files or sgid files (at all --- not even 'ps'; if you want
>    to send mail, telnet to localhost on port 25, don't use sendmail).

It's possible to setup so that sendmail doesn't need to be suid root
in your chroot()'d area.

> 3) No device inodes at all, with the *possible* exception of a /dev/null.
>    Especially no ptys, ttys, serial lines, tape drives, or disks.

Not possible on Solaris. In fact, it needs quite a few of them just to
run a network app.

Granted, some of the other dangerous ones can go away. I'm sure that
plenty could be done with /dev/udp though....

> 4) Main server config files, log files, and maintenance scripts should
>    not be in the chrooted area.  No commands which could potentially be
>    run from any cron job, or by any maintenance script invoked by a 
>    cron job, should be in the chrooted area.  No .htpasswd or .htgroups
>    files, or other files with equivalent functionality, should be in the
>    chrooted area.  Whatever ordinary commands or lib files *are* in the
>    chrooted area should be duplicates, not hard links.

Tough to do unless we modify Apache to talk to a logging daemon via
an INET socket.

> There have got to be more rules than this --- what am I missing?
> rst

Solaris has a nice FS feature called the LOFS (loopback). Enables
you to give entire document trees to the server that are read-only.

System immutable flags are pretty handy as well.

View raw message