James Courtier-Dutton wrote:
[snip]
>
> Ah, I just googled for "break out of chroot" and it has some
> explanations of how to do it.
> I would have to somehow block the "break out" method before I used it.
> So, I guess I will have to use some VM instead for now. I think VMs
> are more secure at the moment purely because more people are using
> them, so more bugs in security get found and quashed.
> I have known exploits in VMs, but most of them are fixed now.
>
Have a look at grsecurity (
http://www.grsecurity.net/). It has several
methods to mitigate against a break out from a chroot environment. I've
been using grsecurity for several years and haven't encountered any
problems in a production environment.
And then there's always VServer
(
http://linux-vserver.org/Welcome_to_Linux-VServer.org). Which is in
between a VM and a chroot. I'm using this on one production server where
I had to run a 32-bit OS inside a 64-bit OS but didn't want to go down
the VM route. I ended up putting each service in to a VServer (SSH,
Apache, Exim, MySQL).
HTH,
David.
--
.''`. David Ramsden
: :' : http://0wned.it/
`. `'` PGP key ID: 3454B217 on wwwkeys.eu.pgp.net
`- Debian - Because it works (tm).
