netbsd-users: Re: chroot & null mount?

Subject: Re: chroot & null mount?
To: None <netbsd-users@NetBSD.org>
From: Peter Bex <Peter.Bex@xs4all.nl>
List: netbsd-users
Date: 08/22/2007 19:30:11
--kkcDP0v44wDpNmbp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 22, 2007 at 09:15:15AM -0700, James Hartley wrote:
> NetBSD's Wiki describes either hard linking or simply copying all
> necessary support libraries into the chrooted directory:
>=20
> http://wiki.netbsd.se/chroot
>=20
> Three questions:
> 0.  Is null mounting preferable to these two methods?

It is more flexible.  If you would null mount /usr/pkg, for example,
whenever you add a package to your system it will be automatically available
in the chrooted environment.  You can't hardlink directories, so you would
have to hardlink every file by hand, which can become extremely tedious.
The same goes for copying, of course.

Another thing that you can't do with hardlinking is share these files
across filesystems.  If your chroot is in /var and you have a separate
partition on /usr, you simply won't be able to hardlink the files.
Copying and null mounting work in this situation.

The question is also: do you want these packages to become automatically
available or do you want some more finegrained control over what is availab=
le
in the chroot for security purposes?

> 1.  Are there any tricks/guidelines/admonitions to figuring out how to
> move an applications into a chrooted environment?

If you use pkgsrc, you can use the 'make package' command to create binary
packages for the chroot.  Installing a binary package in the chroot is as
easy as
# copy some_pkg.tgz /var/some/chroot/tmp
# chroot /var/some/chroot
# pkg_add tmp/some_pkg.tgz
# rm /tmp/some_pkg.tgz
# exit

> 2.  What user should own a chrooted directory?

Usually just root, so it matches the base system permissions.  You can
harden the system from that starting point.

The thing you should keep in mind is that YOU are the one who decides to use
the chroot.  You decide to do this with some purpose in mind and the approa=
ch
you take should be in service of that purpose.  There are no rules that are
cast in stone on how you should set up a chrooted environment.  Always
consider what the desired effect is in your particular situation and build
something to make that work as it should.

Regards,
Peter
--=20
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
							-- Donald Knuth

--kkcDP0v44wDpNmbp
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQEVAwUBRsxyo9OrBFwYag3gAQJljQf/evGlU0olhYmk/nyLR7cURfsFX5s/vqpp
n/LOqdN+DsC4X6UyOPhXju7V4cYVX36K6EiVHJNIdOMQj3iRHQRCruglN/rnIPQs
3fBLvbnnjuU9khrXJQG6QuzOE4mQXIkYUMemRnHBtKYe6JD+cBDLI0WZ/oLDIJWP
pvzKvJkANtVDxqiLJ5NgMwSg5d/ySyKLrMyb/FmJaW/XOAR+nGPgKwnCpEu4oBg0
BM7orUbDLA0QPDEqzi4QQK+of7w22Z76OgVbwmC5J6bKNdbl/PJF8wBrfH+xaulh
qRXYFxknfbc9Q0vdxCxXpVTuDxaHnj2cID4Idr1kzwDb0YSeFr5oFg==
=Ikp/
-----END PGP SIGNATURE-----

--kkcDP0v44wDpNmbp--