[RFC][PATCH][CVS] chroot jailing support

Lawrence Greenfield leg+ at andrew.cmu.edu
Sun Dec 29 22:25:02 EST 2002

--On Monday, December 30, 2002 12:52 AM -0200 Henrique de Moraes Holschuh 
<hmh at debian.org> wrote:

> The codepaths in master are MUCH easier to audit, so I think it overall
> enhances the security of Cyrus to run services inside chroot jails. IF it
> is done right.
> Any comments?  Should I submit this to CMU for inclusion on Cyrus
> eventually (if they like it)?

What's your goal? What's the threat model? For instance, do you want to:

Prevent someone who has a Cyrus exploit from using a local root exploit?
  -> why not chroot master before dropping privs and just stay that way the 
entire time? We can exec each service starting up and fork the services, 
not master. This is more complicated (which is why it isn't implemented) 
but has some nice performance properties: it should use less memory than 
the current fork/exec strategy, and it allows mixed thread/process models 
more easily.
  -> is it interesting? After breaking Cyrus the attacker probably has 
everything of value on the system anyway.

Prevent the compromise of a single Cyrus service from compromising other 
Cyrus servers?
  -> I'm not sure this is an interesting exercise. The services most 
vulnerable to exploitation need to have read/write access to the entire 
mail spool.

Other scenarios?


More information about the Info-cyrus mailing list