[TriLUG] chroot standards?

Mike Johnson mike at enoch.org
Wed Sep 4 00:41:13 EDT 2002


Greg Cox [glcox at pobox.com] wrote:
> I may be asking for the pedants to come out of the woodworks, but:
> "Where's the "right" place to put a chroot environment?"

With that kind of question, you're -begging- for the pedants.
 
> I'm working on some things (BIND among them) that are nice and
> chroot'ed off.  I hate making stuff off the root directory, so
> I made /var/chroots to be the placeholder for anything chrooted,
> and then /var/chroots/$PROJECTNAME to be where individual projects
> went.

You are wise to not put it off /.  Things get confusing when there's a
lot of directories up there.

> /opt and /usr/local didn't seem right.  / didn't seem pretty
> (/tftpboot makes me ill).  One project is using /home/itsuser
> by default, which seems kinda hokey and ew.

You might rethink /opt.  Personally, I -hate- /opt, but it's a great
dumping ground.  Think of /opt as a second /, allowing you to create
your own directory structure off from there.

Also, you might want to rethink your 'ew' response to /home/user.  This
has commonly been the way to chroot things, as you usually dedicate a
user to said chroot environment.  Similar to /opt, it lets you
compartmentalize the directories.

I wouldn't use /var/chroots.  I dislike adding new directories directly
into /var.  I also tend to think of /var as existing solely for
logfiles.  I know this is no longer the case, and there's little I can
do, but it's something that goes back to my early years and I just can't
seem to shake it.
 
> Is there a standard/guideline in Linux?  How about in the realm
> of non-penguin systems?  Or is it free for all, in a "chroot'ing
> to a predictable place weakens security" way?

In OpenBSD, BIND is chrooted into /var/named.  In OpenBSD-current,
Apache is chrooted into /var/www.

Its only a free for all because none of the distributions have adopted a
blanket chroot policy.  Understand (well, I'm sure you know this well by
now) that chrooting isn't easy and shouldn't be undertaken lightly.  As
such, it'll be a while before the distributions get much past chrooting
BIND.  The reason for the free for all has nothing to to with
predictable places being a problem (this would be security through
obscurity, at best).

Give the thing some thought.  Are people going to need to maintain this
after you?  What about backups?  Is your chroot actually secure?  Are
you sure?

Mike
-- 
"Let the power of Ponch compel you!  Let the power of Ponch compel you!"
   -- Zorak on Space Ghost

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020904/17a487f1/attachment.pgp>


More information about the TriLUG mailing list