Val, I want to ask you to use misc@openbsd.org rather than
misc@openbsd.com --- I've configured both my mailer and procmail to
handle it specially.
* Val Polyakov <necro@necro.edu> [010215 11:32]:
> id like to put apache/named/ircd and ssh (if possible, for extra
> security..im a paranoid nut) in chroot jail
> what shall i read to learn how to do it?
Apache -- difficult. Find out everything apache uses (ktrace and kdump
will come in handy) and make copies/move them into a new directory.
Write a small C wrapper that will call chroot(), open port 80, drop
priveledges, and hand the socket to apache. (Source for inetd will
likely come in handy here.)
named -- very easy. vi /etc/rc.conf, search for 'named'. It will be
obvious. :)
sshd -- for what point? Isn't the whole point of ssh to allow an admin
into the box to change whatever needs to be changed? If you still want
to, you will need to use ktrace and kdump to find out what files ssh
uses (including devices, of which I expect it to use a few :) and make
copies/move them into a new directory. Again with the small C wrapper.
(Note that WireX's subdomain kernel module for linux makes most of this
very trivial --- echo "/usr/bin/sshd { /lib/* r , /dev/* rw , /home/sarnold/*
rwx , /etc/ssh* r , }" | subdomain_parser --- and sshd is immediately
restricted to what you have listed. Sort of like a chroot(), but not
undoable from within the process, and miles easier to use for programs
not commonly chrooted. Note also that I worked for WireX over the winter
break, and am likely to work there again after graduation, so my
perspective is a little .. tainted, perhaps. But it is a nice piece of
software. :)
--
Earthlink: The #1 provider of unsolicited bulk email to the Internet.
|