DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th November 2009
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default Jails for OpenBSD

Since jails have been around for some time, I don't expect OpenBSD to adopt them, but is there a reason why jails have not been added?
Reply With Quote
  #2   (View Single Post)  
Old 14th November 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,319
Default

Quote:
Originally Posted by gpatrick View Post
...but is there a reason why jails have not been added?
OpenBSD's feature set comes from within -- meaning the developers have to be motivated enough to see ideas through to implementation. Few project developers visit this site, so the answers you will get here will be conjecture based on experience & reading OpenBSD's misc@ mailing list.

Having said that, it appears that the chroot(8) + systrace(1) combination is considered good enough that no one is motivated to do more. Numerous threads can be found on misc@ which basically comes to the same conclusion:

http://marc.info/?l=openbsd-misc&w=2&r=2&s=jails&q=b

In these misc@ threads, you will find occasional mention of the following project:

http://sysjail.bsd.lv/

...but note there is a statement at their Website stating that the project is now dormant.
Reply With Quote
  #3   (View Single Post)  
Old 14th November 2009
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default

I read on misc@ :

"Jail really is nice, but you can accomplish the same thing when using
chroot + systrace if you just want a single running service per
virtual jail. You can make it even tighter then a jail. But ok, it is
a lot of work, jails make it easy to implement virtual servers. It is
a nice feature, but I don't miss it on OpenBSD."

The reason for jails is to run multiple domains on one machine and each jail would be a separate domain, such as, example.org; example.com; example.net. If I need to make changes or remove a domain it's simple.

I understand how chroot works, but I am using Perl and MySQL for my sites and it is a little work to get that in chroot.

According to the above statement chroot+systrace is tighter than jails, but is there an example somewhere of how to use chroot and systrace to make it that way for a specific domain.

Also, could I chroot multiple domains, such as /var/www/example.org; /var/www/example.com; /var/www/example.net ?

Thanks!
Reply With Quote
  #4   (View Single Post)  
Old 14th November 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,319
Default

Quote:
Originally Posted by gpatrick View Post
...but is there an example somewhere of how to use chroot and systrace to make it that way for a specific domain.
The modified version of Apache 1.3 available in OpenBSD can be run from within a chroot(8):

http://openbsd.org/faq/faq10.html#httpdchroot

As for tightening down what syscalls are allowed, both Lucas (author of Absolute OpenBSD) and Palmer & Nazario (authors of Securing Architectures with OpenBSD) cover this in the following sets of articles:Both sets of authors discuss iteratively constraining what syscalls are allowed by pouring over the output from:

# systrace -A /usr/sbin/inetd

The basic question you are asking is how can Apache be made to talk to multiple chroot(8)'s. While I suspect the answer will be quite tedious in looking through systrace -A output (which is error-prone & requires constant maintenance...), I would be remiss if I didn't mention three important points:This should indicate that acceptance/interest in systrace(1) has waned. Even the information from Lucas and Palmer & Nazario is dated (circa 2003-2004). You need to think twice before committing your business to rely on a technology that is no longer regarded as being secure.
Quote:
I understand how chroot works, but I am using Perl and MySQL for my sites and it is a little work to get that in chroot.
As I understand, Perl code can be written to jump out of a chroot(8). This further supports the developers' sentiment that systrace(1) creates a false sense of security.
Reply With Quote
  #5   (View Single Post)  
Old 14th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,057
Default

The OP is looking to use "jail"-like technologies for virtualization.

I have used chroot for virtualization on OpenBSD. For some purposes, it works well, but there are some caveats for using it this way, requireing careful planning:
  • The use of chroot only virtualizes file systems. Processes, network stack, and kernel remain unvirtualized.
  • Superuser functionality in a chrooted environment is not equivalent to running as the superuser in normal operation. Some functionality is intentionally eliminated.
Apache itself can provide virtual hosting, and that is probably the easiest way to accomplish the appearance of multiple webservers within a single OS.
Reply With Quote
  #6   (View Single Post)  
Old 14th November 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

The jail functionality in FreeBSD required significant kernel changes in almost every area imaginable, it would be difficult to to introduce similar functionality in OpenBSD without a developing being really motivated to do so (..and perhaps such changes would be rejected by the other developers anyway).

In OpenBSD, daemons are privileged separated and use chroot(2) where it's deemed necessary.. if you absolutely require that 'domains' be separated, then consider obtaining additional systems.

Hope that helps.
Reply With Quote
  #7   (View Single Post)  
Old 15th November 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

My suggestion is skip jails and use appropriate virtualization software.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #8   (View Single Post)  
Old 15th November 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by TerryP View Post
My suggestion is skip jails and use appropriate virtualization software.
While virtualization is a popular option these days, it may not be the best one.. the security aspect of such things is questionable, and you won't get much support from the developers if you're using one (..and can't replicate any problems on a real system, of course).

Ones ability to use OpenBSD as a host for virtualization is also impaired, QEMU is the only option available.. and due to portability issues, the port has been stuck at 0.9.x for some time.
Reply With Quote
  #9   (View Single Post)  
Old 15th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,057
Default

Virtualization has its values, but neither -security- nor -isolation from all problems- are among them. And that is so, whether chroot, jail, virtual machine, or "hypervisor" solution is selected.

Before anyone asks -- yes, even "firmware" hypervisor virtual machine systems, such as those used in mainframe systems since the 1970s, or on large scale Unix servers beginning in the late 1990s. Even today, on the most modern systems, a failure of a component in one virtual machine can require the entire platform be reset, affecting all virtual machines. Firmware in microcode on the hardware platform is still software, written by human beings.
Reply With Quote
Old 15th November 2009
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default

Thanks everyone for your helpful replies.

As mentioned before, I have three personal websites and might add one or two more and prefer to run on my own hardware. That being the case I was looking at OpenBSD as my platform. MySQL is my database for two sites and I run a caching-only name server on the server currently.

Since this is personal only I want to run the database and domains on one server. My current platform in OpenSolaris with network virtualization (Crossbow) and zones. Currently I have an nginx reverse proxy that is redirected from ipf. Each domain is in a separate zone. I'm using ipf because OpenSolaris doesn't support pf. I did have VirtualBox running an OpenBSD guest but then when I tried to upgrade to the newest version of VirtualBox I couldn't start any guests, and when I attempted to go back to the previous version, I still couldn't get any guests to run. So I'm moving to another platform and would like to use OpenBSD.

It seems that using Apache virtual hosts would be the way to go, or would it be possible to chroot nginx and then chroot each domain?
Reply With Quote
Old 17th November 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,319
Default

Quote:
Originally Posted by gpatrick View Post
It seems that using Apache virtual hosts would be the way to go, or would it be possible to chroot nginx and then chroot each domain?
It sounds like you are asking if one chroot(8)'ed subtree can talk to a different chroot(8)'ed subtree. By definition, this isn't what chroot(8) does/is. What you are hoping for is to a hierarchy of chroot(8)'ed directories, but from what I see in the manpage, this isn't possible.
Reply With Quote
Old 20th November 2009
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default

I'm coming from OpenSolaris where I used zones (similar to FreeBSD jails) so chroot is different to me. On OpenSolaris I had an ipf zone to rdr to my nginx reverse proxy zone which then directed traffic to each specific domain which had its own zone and own Apache instance. I also had a separate MySQL zone and mail zone. Just want to replicate this somehow on OpenBSD.

chroot lighthttpd as a reverse proxy and then send to the chroot apache with multiple virutal hosts doesn't sound like it will work either since chroot can't talk to other chroot's?

If I can't chroot lighthttpd as a reverse proxy, then how do I direct traffic to multiple domains with chroot?
Reply With Quote
Old 20th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,057
Default

Because chroot -only- "virtualizes" the filesystem, the network stack is shared.

Without knowing your situation, and only from your brief descriptions here, it appears you are trying to kill a canary with a machine gun. Why not run a single instance of Apache, with multiple virtual hosts, and a single instance of your DBMS? Each virtual host "webserver" can still address a unique table space.
Reply With Quote
Reply

Tags
chroot, jail

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
jails, aliasing, router, and dmz? neurosis FreeBSD Security 17 7th November 2008 03:47 AM
Updating FreeBSD Jails after rebuilding world on host anomie Guides 0 10th September 2008 03:23 AM
Jails, ezjail, apache, very newbie question. neurosis FreeBSD General 15 23rd August 2008 01:38 PM
Jails - mount: /usr/home: No such file or directory chris FreeBSD General 6 6th August 2008 10:47 PM
Keeping ports in multiple jails up to date cajunman4life FreeBSD Installation and Upgrading 1 9th May 2008 11:51 PM


All times are GMT. The time now is 04:55 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick