I think I understand better. Now .. but is there still a security
benefit from having the different services in their own jails ?
(even if the jail cells come with their own metaphorical swimming
pool and armoury )
or is it that the jails don't offer enough compared with the
additional workload of managing multiple copies of libraries/binaries
in the system... ?
On Thu, 9 Mar 2023 at 12:29, Stuart Henderson <stu@spacehopper.org> wrote:
>
> On 2023/03/08 10:10, Glen Gunsalus wrote:
> >
> > On 3/7/23 15:33, Stuart Henderson wrote:
> > > On 2023-03-07, Glen Gunsalus <g-gunsalus@mindspring.com> wrote:
> > > > To get this running cp'd perl (/usr/bin/perl) and relevant perl libs (/usr/lib/[libs.so|libm.so|libperl.so] /usr/libexec/ld.so) to /var/www/usr/[bin|lib|libexec]
> > >
> > > You shouldn't need that bit (and it is safer not to) - smokeping_fcgi
> > > does not chroot.
> > >
> > >
> > Hmm, I did this on the basis of a post by you (5/11/20) in response to Tom (5/10/20) which I interpreted as needing several files moved into www "jail."
>
> No that was me saying "this software is not really meant to work with
> chroot and if you're copying enough into the chroot that it works,
> you're providing a lot of extra tools to someone who is able to execute
> code within the jail"
>
> > ----------------quote--------------------------
> > bgplg is designed to run in a jail, it is a small C program and even
> > then it needs specially compiled versions of the external dependencies
> > (ping, bgpctl etc).
> >
> > Smokeping isn't - if you want to run the graph generating part of
> > smokeping (i.e. the cgi/fcgi script) inside a chroot jail, a whole lot
> > more is needed - a copy of perl and various modules, rrdtool,
> > rrdtool's library dependencies, fonts, and I think there were config
> > files for some of the libraries. I did this in the past but it's a
> > real mess and easy to break at update time, and the amount of things
> > copied in means that the chroot ends up more as "luxury camping" than
> > "jail" 😉
> > ----------------end quote-------------------
> >
> > I had been running smokeping and mrtg with apache for a number of years, but when OpenBSD abandoned apache I looked at nginx for transition then httpd came along and looked both more attractive and likely to be more long lived under OpenBSD.
> >
> > It was Tom's post that got me started down the httpd path. I have been running with httpd since that time.
> > I can't remember the details, but think I initially tried w/o the cp'd files, but was not successful so began incrementally moving goodies into /var/www until it worked.
> > I will try rm'ing or mv'ing those in /var/www and see how it goes.
> >
> > Thanks for your help.
> >
> > Regards, Glen
>
--
Kindest regards,
Tom Smyth.
No comments:
Post a Comment