Containing Access in a Jail

No matter how carefully you shield your servers from potential abusers with tools such as packet-filter firewalls, TCP Wrappers, and xinetd, you can't block all accesses to the servers. Doing so would be pointless; servers exist to communicate with clients, and there's always some risk that an unfriendly party will control one of those clients. An environment in which the server program's root directory is changed—that is, a chroot jail—is one system you can use to minimize the risk to your computer should a misconfigured or buggy server be discovered by a cracker. Of course, you should know what a chroot jail can and cannot do to protect your system. Once you understand the jail's capabilities, you can set it up. Doing this requires both preparing the jail directory and running programs in the jail.

0 0

Post a comment