[gopher] Re: Security issues in Gopher?
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
Put simply, it puts you into gaol. If you typed, say,
$ chroot /home/anstouh
all you could do is access the programs below /home/anstouh. You can't write an
event to a logfile, you can't run 'ls' (unless 'ls' happens to be somewhere in
/home/anstouh, of course).
If the only files in /var/gopher are owned by anstouh, read/writable by owner,
readable by group and world, and you run a chrooted gopher as user nobody,
there's not much someone can do if they manage to convince gopher to do
anything other than serve up files and directories.
<Insert standard disclaimer.>
Tristan.
--- Robert Hahn <rhahn@xxxxxxxxxxxxxx> wrote:
> > > pretty sound to me (ie: user 'nobody' can't really do a whole lot of
> > > damage) so I'm wondering what it would take for me to run gopherd as
> > > nobody - and better still, why people are running it as root.
> >
> > You can not only run gopherd as nobody (see -u) but you can also run
> > it chroot, which is more than you get with Apache even.
>
> Interesting. I manned chroot last night, which gave me a clear answer as to
> what and how, but, as is typical with all man pages, lacks a 'why'. :P
>
> So, can you explain what the significance of chroot* is and how it increases
> security? Especially as it compares to running a server either as 'nobody'
> or (horrors) root?
>
> * I don't know what your manpage says, but mine says that chroot simply
> changes the location of the root home folder.
>
> Or... point me to a resource that would do as well?
>
> thx,
> -rh
>
http://my.yahoo.com.au - My Yahoo!
- It's My Yahoo! Get your own!
|
|