[ale] chroot and /proc?

Jeff Lightner jlightner at water.com
Tue Apr 1 12:09:06 EDT 2008


BASIC QUESTION:
How does one secure /proc in a chroot environment?

DETAILS:
On another mailing list a user was having an issue getting BIND to
recognize all 4 CPUs.   Someone suggested doing mount -bind of /proc
into the chroot environment.

To me this seems like a huge security issue.   By making /proc available
to the chroot environment it would allow anyone that compromised the
chroot environment to muck things up by echoing things into /proc (e.g.
many SCSI changes can be done by echoing into
/proc/scsi/<adapter>/<instance>).

On doing a Google search the only mention I see of securing this kind of
setup talks about using UML with a different non-root user to restrict
access but that post was from 2005.   I'm wondering if that would still
be a valid approach.  

Alternatively I'm wondering if there isn't a better way to let the
chroot environment BIND know that there are 4 CPUs?
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080401/bc0c29e8/attachment.html 


More information about the Ale mailing list