[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] /tmp security

Just saw this topic on the mailing list from last year.

Here is how I solved the problem:
[1] Switched to zfs (adding a new mount point is as easy as the mkdir command)
[2] create the partitions
  zfs create -o quota=100g jail/example.monkeybrains.net
  zfs create -o quota=1g -o exec=off jail/example.monkeybrains.net/tmp
[3] patch the ezjail-admin script:
--- ezjail-admin.orig +++ ezjail-admin @@ -283,7 +283,7 @@
  # if a directory at the specified jail root already exists, refuse to
  # install. Empty root dirs are considered okay, sometimes they are
  # mount points to be filled by ezjail.
- [ -d ${ezjail_rootdir} ] && [ -z "`ls -I ${ezjail_rootdir}`" ] && ezjail_rootdirempty="YES" + [ -d ${ezjail_rootdir} ] && [ -z "`ls -I ${ezjail_rootdir} | grep -v '^tmp$'`" ] && ezjail_rootdirempty="YES" [ -e ${ezjail_rootdir} -a -z "${ezjail_rootdirempty}" -a -z "${ezjail_exists}" ] && exerr "Error: the specified jail root ${ezjail_rootdir} already exists."

  # if jail root specified on command line does not lie within our jail
[4] create the jail, remove /var/tmp and symlink it to /tmp

The idea behind having the jail with a 'more secure' /tmp is not to protect you from a malicious customer, but, rather to protect you from an unsecure customer who leaves BIG holes from other people to get in the system. Now, all you need to do is write a cron job to auto-kill any httpd's running as root... :)