Slashdot Mirror
Chroot Jails Made Easy
GonzoJohn writes "There are always difficult jobs to do as a GNU/Linux system administrator. Sometimes the difficulty lies in finding out how to do a particular job, not necessarily the job itself. This can be particularly true in the open source world where documentation can often take a back seat to implementation. But once in a while, you can stumble on a real gem that simplifies even the most difficult administration tasks. One such gem is the Jail Chroot Project. Linux Orbit introduces you to creating chroot-ed environments in this article."
Though it seems like a virtual system, a chroot cell is not totally virtual, and there can still be plenty of comprosmises.
h tml
Like usual, all you need is access to a compiler, and you can make a jailbreak. In fact, there's a whole guide to it here:
http://www.bpfh.net/simes/computing/chroot-break.
If the whole jail resided in its own actual virtual Linux machine, where nasty things cannot break the account, just the session, they would be quite a bit more effective.
I have been using chroot for many years, mostly with the big three (Apache bind and sendmail). However, I would never rely solely on chroot for security.
It is rediculous to do a Maxwell Smart and put 10 locks on your front door when the window is wide open. You are always better to rely upon a locked box, inside a locked box, inside a locked box etcetera, Rather than OUMF lock!
OUMF??? you say (new proposed acromyn)...
Just think of Arnie in Predator when he says to the alien "You're one ugly mother f......"
From excellent karma to terible karma with a single +5 funny post...
*
This can be particularly true in the open source world where documentation can often take a back seat to implementation.
*
I dont know to what degree this is meant, but I would never find myself stating this alone. I think open source generally has incredible documentation. The only comparison to open source is closed source, and I don't think there is much of a question of which one is stronger at documentation. Even when I do find closed source documentation, it is rarely verbose enough. Another strong point to open source documentation is that it is only getting better. While most closed source development just leaves release info and install info (often just informing the location of files), open source documentation projects are often an undermovement to projects themselves. I don't deny there are exceptions, like this article and some other projects, systems, etc (particularly very small ones), but if it wasnt for the incredible open source documentation out there, that is so persistently provided that I always expect it, then I wouldnt have ever been able to detach myself from the closed source hells I have been used to.