swisspig.net - To hell with the pig... I'm going to Switzerland.

chroot and Security Updates (Monday, March 12, 2007)

I pride myself on keeping swisspig.net as secure as can be. To that end, I run Debian, so I can take advantage of apt-get security updates to keep my system up to date. Another measure I take to help protect my security is to run my servers — such as the web server — in a chroot jail, which is like its own private system-within-a-system, which makes it more difficult for a bug in the server to allow an attacker to gain control of the entire system. Of course with a system-within-a-system, you have to remember that Debian apt-get only upgrades your base system, and not the chrooted system. So each time you download security updates, you have to check to see which files in your jail are different than the files in the base system and copy them over. And woe unto you if one of the updated files has a dependency on a file you don't already have in your jail. Then your software crashes, and you have to track down which file you're missing, and copy that too. I'm sure there's a more sophisticated way to do this... but I haven't figured it out. I suppose one could run apt in the jail, but the whole point of the jail is so that only the most basic software is available — nothing a hacker could use to cause trouble. Upgrade utilities are definitely a hacker's friend. Also, I have constrained system resources and I'm unwilling to burn the extra disk space to duplicate those functions. I wonder if it is possible to simply create hard links to the libraries and programs I want and not have copies at all? Of course, if you have hard links, anything that is compromised in the jail will become compromised on the base system, too, which defeats the purpose. I guess it's going to be update-and-copy for a while longer — that's why we have shell scripts!

—Brian (3/12/2007 12:35 AM)
(0 comments)

Comments

No comments.

Name
URL
Comment
(no html)
 

Disclaimer: Opinions on this site are those of Brian Ziman and do not necessarily
reflect the views of any other organizations or businesses mentioned.