OpenBSD Journal

Securing Systems with chroot

Contributed by jose on from the empty-prison dept.

Emmanuel Dreyfus shares another set of tips and ideas for securing your BSD systems in a recent BSD DevCenter article. This one discusses how to use chroot(8) . While not a total solution, it does impose a serious hurdle to many attackers. Many OpenBSD systems are now using chroot locations, including Apache and SSH. You can easily apply it to a variety of subsystems by setting up a proper environment (see this article and the first two in the series for the techniques). All useful things to do to help secure exposed systems.

(Comments are closed)


Comments
  1. By djm () on

    It is generally better to add proper chrooting support to the service in question (e.g. OpenBSD's bind implementation) than to make chroot environments for arbitrary programs.

    The latter are generally incomplete solutions, waste HD space (all those static binaries or copies of shared libs) and are more fragile.

    Sometimes the former is not an option :(

  2. By schubert () on

    One of the biggest mistakes some people run into when first chrooting things (and will run into when doing apache) is they forget some really simple stuff that applications outside the chroot take for granted. Things like gid/uid mapping to entries in /etc/passwd and /etc/group. And the big one is being unable to resolve localhost to 127.0.0.1 because they didn't include a copy of /etc/hosts in the chroot. Since the secret stuff is all in /etc/master.passwd, there isn't much harm in copying passwd, group and hosts into your chroot and in the case of apache it can save serious headaches if you're using stuff like mysql/php and webmail.

    If you get stumped on why an application borks in a chroot, run it outside the chroot with ktrace and look through the output with kdump and spot all the files it may be looking for (ldd will tell you the libraries of course)

  3. By chroot newbie () on

    How does one pronounce `chroot'? Cha-root?

    And, thanks to Schubert for explaining the resolving of localhost problem. I run a lot of PHP/PostgreSQL servers and setting this up in 3.2 has been a bit of a challenge (learning opportunity).

  4. By RC () on

    I'm not a fan of Chroot by any means. Personally, I would MUCH rather have an application running as a regular user, and not give them Root access at all. For one thing, there have been numerous instances where programs just didn't drop privlidges properly.

    Besides, why chroot anyhow? Your HAVE removed the SUID bits on most of your programs and changed the rest so only users in a certain group can run them, RIGHT?

    For something like OpenSSH, chroot'ing it made a good addition (since you don't have anything to lose by doing it), but chroot's popularity has extended far beyond it's usefulness...

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]