[RFC][PATCH][CVS] chroot jailing support
Lawrence Greenfield
leg+ at andrew.cmu.edu
Sun Dec 29 22:25:02 EST 2002
--On Monday, December 30, 2002 12:52 AM -0200 Henrique de Moraes Holschuh
<hmh at debian.org> wrote:
> The codepaths in master are MUCH easier to audit, so I think it overall
> enhances the security of Cyrus to run services inside chroot jails. IF it
> is done right.
>
> Any comments? Should I submit this to CMU for inclusion on Cyrus
> eventually (if they like it)?
What's your goal? What's the threat model? For instance, do you want to:
Prevent someone who has a Cyrus exploit from using a local root exploit?
-> why not chroot master before dropping privs and just stay that way the
entire time? We can exec each service starting up and fork the services,
not master. This is more complicated (which is why it isn't implemented)
but has some nice performance properties: it should use less memory than
the current fork/exec strategy, and it allows mixed thread/process models
more easily.
-> is it interesting? After breaking Cyrus the attacker probably has
everything of value on the system anyway.
Prevent the compromise of a single Cyrus service from compromising other
Cyrus servers?
-> I'm not sure this is an interesting exercise. The services most
vulnerable to exploitation need to have read/write access to the entire
mail spool.
Other scenarios?
Larry
More information about the Info-cyrus
mailing list