Hello, I would like to run other services like messaging services on my firewall machine too. Does it make sense to run shorewall, openvpn and the pppoe package in a chroot jail? And is it possible to run these programs as an other user? Ciao Hugo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | I would like to run other services like messaging services on my | firewall machine too. | Does it make sense to run shorewall, openvpn and the pppoe package in a | chroot jail? And is it possible to run these programs as an other user? | Two things: a) Running a application in a root jail protects the rest of the system in the event that the *application* is compromized -- not the other way around. b) Shorewall is a set of shell scripts that run when you "shorewall start", "shorewall restart" or "shorewall stop" and only then. Otherwise, there is *no Shorewall code running in your system at all* and so the notion of "Running Shorewall in a root jail" makes no sense. If you want to run other services on your firewall, I would run *those services* in a root jail since you are trying to protect your firewall in the event that those services are compromised. Note that if any of the services run as root, then placing them in a root jail accomplishes nothing since root can easily escape such a jail. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBPfzVO/MAbZfjDLIRAlBVAKC1P3+g/dgvhvq9jeZIRKr6d506YQCbBaLO t18DgCIkSoEyAcLW5yGXT1o=Oe/A -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | | | I would like to run other services like messaging services on my | | firewall machine too. | | Does it make sense to run shorewall, openvpn and the pppoe package in a | | chroot jail? And is it possible to run these programs as an other user? | | | | Two things: | | a) Running a application in a root jail protects the rest of the system | in the event that the *application* is compromized -- not the other way | around. | | b) Shorewall is a set of shell scripts that run when you "shorewall | start", "shorewall restart" or "shorewall stop" and only then. | Otherwise, there is *no Shorewall code running in your system at all* | and so the notion of "Running Shorewall in a root jail" makes no sense. | | If you want to run other services on your firewall, I would run *those | services* in a root jail since you are trying to protect your firewall | in the event that those services are compromised. Note that if any of | the services run as root, then placing them in a root jail accomplishes | nothing since root can easily escape such a jail. Please s/root jail/chroot jail/g in the above text :-) - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBPf0cO/MAbZfjDLIRAnqSAKCDZYg7qmoNs5Sb+T6T53kYpRouLQCgyp4h tGD43PWjdRaffVEzYhS1yw4=aWZy -----END PGP SIGNATURE-----
Tom Eastep wrote:> Please s/root jail/chroot jail/g in the above text :-)I got "chchchchchchchchchchchchchchchchchchchchchroot jail" before I forced myself to stop. ;)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Fedyk wrote: | Tom Eastep wrote: | |> Please s/root jail/chroot jail/g in the above text :-) | | | I got "chchchchchchchchchchchchchchchchchchchchchroot jail" before I | forced myself to stop. ;) :-\ - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBPlmkO/MAbZfjDLIRAibkAJ4gX+MQ3xNLPSK/+Q2Kaw/tFJlotQCdGb58 vUWoKiVaGulfe1UxpZwCZsg=C2PW -----END PGP SIGNATURE-----
> |> Please s/root jail/chroot jail/g in the above text :-) > | > | I got "chchchchchchchchchchchchchchchchchchchchchroot jail" before I > | forced myself to stop. ;) > > :-\Don''t worry Tom, his built-in RE engine simply is broken. ''g'' is global, not recursive... ;-) karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Karsten Bräckelmann wrote: |>|> Please s/root jail/chroot jail/g in the above text :-) |>| |>| I got "chchchchchchchchchchchchchchchchchchchchchroot jail" before I |>| forced myself to stop. ;) |> |>:-\ | | | Don''t worry Tom, his built-in RE engine simply is broken. ''g'' is global, | not recursive... ;-) You can tell that I don''t use RE substitution very often :-) - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBPxdDO/MAbZfjDLIRAnEeAJ9re8j/sUtkj6umwF6c7s7CSxe/+wCeNdBU mOIgCZrGhOtQnuX9NABbhpk=fWE9 -----END PGP SIGNATURE-----
Apparently Analagous Threads
- problem stoping jails with jail(8), jail.conf and mount.fstab
- /etc/rc.d/jail: losing IPs if jail_x_interface set and syntax error in jails /etc/rc?
- jail performance questions
- bind() on 127.0.0.1 in jail: bound to the outside address?
- How to create Jail in FreeBSD