Grsec Chroot restrictions, ACL, and vserver
Posted: Tue Sep 04, 2007 11:10 amThe grsec Chroot jail restrictions are great and I use them on every machine I have.
Recently I have been wanting to make better use of my hardware so I compiled the vserver+grsec kernel to get vserver up and running.
The problem I am running into is that each vserver is essentially itself a chroot, and will in turn have its own set of chrooted services. Since a vserver is essentially a chroot, I cant use many of the all-important restrictions like "Deny (f)chmod +s" "Deny mounts" and "Deny double-chroots" on a vserver guest's chrooted services, while still allowing the vserver to funtion as normal.
I am wondering if the ACL features will give me the granularity needed so that I can disable the chroot restrictions by default, and then enable the grsec Chroot restrictions on specific subdirectories located in a vserver?
Any ideas on how to use vserver and all of the Chroot restrictions at the same time would be greatly appreciated, thanks!
Recently I have been wanting to make better use of my hardware so I compiled the vserver+grsec kernel to get vserver up and running.
The problem I am running into is that each vserver is essentially itself a chroot, and will in turn have its own set of chrooted services. Since a vserver is essentially a chroot, I cant use many of the all-important restrictions like "Deny (f)chmod +s" "Deny mounts" and "Deny double-chroots" on a vserver guest's chrooted services, while still allowing the vserver to funtion as normal.
I am wondering if the ACL features will give me the granularity needed so that I can disable the chroot restrictions by default, and then enable the grsec Chroot restrictions on specific subdirectories located in a vserver?
Any ideas on how to use vserver and all of the Chroot restrictions at the same time would be greatly appreciated, thanks!