Re: To chroot or not to chroot?

[Josh Tolley <eggyknap () gmail com>]

The question here is "Is it worth the effort it would take to chroot
everything?" How much time/effort would it take for you to get
everything chrooted? Is the security of the site and the extra
security chrooting everytihing would add worth spending the time?
Should you instead just chroot some services? It's all a question of
risk vs. cost. As to your "Do I really make any difference" question,
of course you do. Perhaps it's easier to break into a web server
running, say, PHP, than to break into one serving only static pages,
but still, once you've broken in, you're still chrooted. It's a very
effective security measure, and if it's worth it for the site in
question, yes, do it.

-Josh Tolley

On 11/23/05, Martín Villalba <famafcs () gmail com> wrote:
> Hi, list! Maybe you can help me with this: I'm about to install a
> webserver, which should have an http server, webmail, php support,
> dns, ftp, remote login and a couple more things. Obviously, with all
> those ports open, I must take every security measure I know (and some
> I don't). But here comes my doubt: should I jail the webserver with
> chroot? My first thought was "Duh, yes!", but thinking about it,
> having all those services running at the same time, do I really make
> any difference? It seems to me that in such environment a cracker (no,
> i'm not writing "hacker") could do anything he (maybe she?) wants...
> Ideas? Suggestions? Donations (cash, please)?
> C-you
>
> Martín