Re: chroot & mount --bind = security ?

From: Thomas Knop (tknop_at_maxrelax.de)
Date: 04/06/04

  • Next message: Asbjørn Sannes: "Re: chroot & mount --bind = security ?"
    Date: Tue, 6 Apr 2004 20:07:00 +0200
    To: focus-linux@securityfocus.com
    
    

    * Julien Nury <jnury@voila.fr> [06.04.04 19:24]:
    > Imagine :
    > - An apache web server chrooted in /chroot/httpd, this server publish
    > document in /chroot/httpd/var/www
    > - A FTP server chrooted in /chroot/ftpd
    [..]
    > - A folder /var/www witch contains my html documents
    > - mount --bind /var/www /chroot/httpd/var/www to allow the web server
    > to access them
    > - mount --bind /var/www /chroot/ftpd/var/www to allow the ftp server to
    > update them
    > And now ... questions :
    > - does it working ?
    no idea.
    > - is there a security problem with it ?
    Of course, you break the idea of chroot. This results in something
    similar /chroot/http_and_ftp.
    > - is there another method (more secure/simple) to do this ?
    In any case of an automated filte transver from ftp -> http you run in
    the same security risk.

    May be you wish to keep all as it is. Then use a secure remote shell
    to move the uploaded files to the http server. If you can trust this
    task you can trust then moved files (risk: time between upload and
    move).

    Regards,
    Thomas Knop


  • Next message: Asbjørn Sannes: "Re: chroot & mount --bind = security ?"

    Relevant Pages

    • Re: New Method for Authenticated Public Key Exchange without Digital Certificates
      ... >>just to accept the security risk and do nothing? ... there is no way to establish trust. ... certification and hence CA will ... > Card schemes almost never issue any certificates - this is outsroucreced to ...
      (sci.crypt)
    • Re: Sophos
      ... She has certainly proven herself as a liability and security risk to ... However, she forces her employer ... to trust her husband by this action - it is not fair ...
      (alt.comp.anti-virus)
    • Re: SSHD on non-privileged port : security risks ?
      ... Our Unix team as started an sshd deamond on an unprivilege port. ... Can be a security risk? ... Can you actually trust them to keep their passwords away from other people? ...
      (comp.security.ssh)