Security Basics mailing list archives
Re: To chroot or not to chroot?
From: Josh Tolley <eggyknap () gmail com>
Date: Thu, 24 Nov 2005 22:34:45 -0700
The question here is "Is it worth the effort it would take to chroot everything?" How much time/effort would it take for you to get everything chrooted? Is the security of the site and the extra security chrooting everytihing would add worth spending the time? Should you instead just chroot some services? It's all a question of risk vs. cost. As to your "Do I really make any difference" question, of course you do. Perhaps it's easier to break into a web server running, say, PHP, than to break into one serving only static pages, but still, once you've broken in, you're still chrooted. It's a very effective security measure, and if it's worth it for the site in question, yes, do it. -Josh Tolley On 11/23/05, Martín Villalba <famafcs () gmail com> wrote:
Hi, list! Maybe you can help me with this: I'm about to install a webserver, which should have an http server, webmail, php support, dns, ftp, remote login and a couple more things. Obviously, with all those ports open, I must take every security measure I know (and some I don't). But here comes my doubt: should I jail the webserver with chroot? My first thought was "Duh, yes!", but thinking about it, having all those services running at the same time, do I really make any difference? It seems to me that in such environment a cracker (no, i'm not writing "hacker") could do anything he (maybe she?) wants... Ideas? Suggestions? Donations (cash, please)? C-you Martín
Current thread:
- To chroot or not to chroot? Martín Villalba (Nov 24)
- RE: To chroot or not to chroot? Jeroen van Meeuwen (Nov 24)
- Re: To chroot or not to chroot? Josh Tolley (Nov 25)
- Re: To chroot or not to chroot? darren kirby (Nov 25)