Shorewall users - Sep 2004 - shorewall in chroot jail

Hello,


I would like to run other services like messaging services on my
firewall machine too.  
Does it make sense to run shorewall, openvpn and the pppoe package in a
chroot jail? And is it possible to run these programs as an other user?

Ciao
Hugo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


| I would like to run other services like messaging services on my
| firewall machine too.
| Does it make sense to run shorewall, openvpn and the pppoe package in a
| chroot jail? And is it possible to run these programs as an other user?
|

Two things:

a) Running a application in a root jail protects the rest of the system
in the event that the *application* is compromized -- not the other way
around.

b) Shorewall is a set of shell scripts that run when you "shorewall
start", "shorewall restart" or "shorewall stop" and
only then.
Otherwise, there is *no Shorewall code running in your system at all*
and so the notion of "Running Shorewall in a root jail" makes no
sense.

If you want to run other services on your firewall, I would run *those
services* in a root jail since you are trying to protect your firewall
in the event that those services are compromised. Note that if any of
the services run as root, then placing them in a root jail accomplishes
nothing since root can easily escape such a jail.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBPfzVO/MAbZfjDLIRAlBVAKC1P3+g/dgvhvq9jeZIRKr6d506YQCbBaLO
t18DgCIkSoEyAcLW5yGXT1o=Oe/A
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
|
| | I would like to run other services like messaging services on my
| | firewall machine too.
| | Does it make sense to run shorewall, openvpn and the pppoe package in a
| | chroot jail? And is it possible to run these programs as an other user?
| |
|
| Two things:
|
| a) Running a application in a root jail protects the rest of the system
| in the event that the *application* is compromized -- not the other way
| around.
|
| b) Shorewall is a set of shell scripts that run when you "shorewall
| start", "shorewall restart" or "shorewall stop" and
only then.
| Otherwise, there is *no Shorewall code running in your system at all*
| and so the notion of "Running Shorewall in a root jail" makes no
sense.
|
| If you want to run other services on your firewall, I would run *those
| services* in a root jail since you are trying to protect your firewall
| in the event that those services are compromised. Note that if any of
| the services run as root, then placing them in a root jail accomplishes
| nothing since root can easily escape such a jail.

Please s/root jail/chroot jail/g in the above text :-)

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBPf0cO/MAbZfjDLIRAnqSAKCDZYg7qmoNs5Sb+T6T53kYpRouLQCgyp4h
tGD43PWjdRaffVEzYhS1yw4=aWZy
-----END PGP SIGNATURE-----

Tom Eastep wrote:
> Please s/root jail/chroot jail/g in the above text :-)
I got "chchchchchchchchchchchchchchchchchchchchchroot jail" before I 
forced myself to stop. ;)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Fedyk wrote:
| Tom Eastep wrote:
|
|> Please s/root jail/chroot jail/g in the above text :-)
|
|
| I got "chchchchchchchchchchchchchchchchchchchchchroot jail" before I
| forced myself to stop. ;)

:-\

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBPlmkO/MAbZfjDLIRAibkAJ4gX+MQ3xNLPSK/+Q2Kaw/tFJlotQCdGb58
vUWoKiVaGulfe1UxpZwCZsg=C2PW
-----END PGP SIGNATURE-----

> |> Please s/root jail/chroot jail/g in the above text :-)
> |
> | I got "chchchchchchchchchchchchchchchchchchchchchroot jail"
before I
> | forced myself to stop. ;)
> 
> :-\
Don''t worry Tom, his built-in RE engine simply is broken.
''g'' is global,
not recursive... ;-)

 karsten


-- 
Davision - Atelier fuer Gestaltung / Internet / Multimedia
 UNIX / Linux Netzwerke und Schulungen
 Telefon 06151/273859   Fax 06151/273862

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Karsten Bräckelmann wrote:
|>|> Please s/root jail/chroot jail/g in the above text :-)
|>|
|>| I got "chchchchchchchchchchchchchchchchchchchchchroot jail"
before I
|>| forced myself to stop. ;)
|>
|>:-\
|
|
| Don''t worry Tom, his built-in RE engine simply is broken.
''g'' is global,
| not recursive... ;-)

You can tell that I don''t use RE substitution very often :-)

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBPxdDO/MAbZfjDLIRAnEeAJ9re8j/sUtkj6umwF6c7s7CSxe/+wCeNdBU
mOIgCZrGhOtQnuX9NABbhpk=fWE9
-----END PGP SIGNATURE-----