|
|||
OpenBSD chroot vs. FreeBSD jails
I don't intend to start a war but would like to know the real security differences between OpenBSD chroot and FreeBSD jails. Are jails indeed more secure than using chroot or is chroot as secure if implemented correctly?
Please no wars, I'm only looking for information to implement a few web sites now, and possibly a few dozen at a later time. They will all need to access a database and I prefer to use a reverse proxy. |
|
|||
Didn't we discuss this already extensively in http://www.daemonforums.org/showthread.php?t=3983 ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Coming from Solaris I think I'll just stay with jails on FreeBSD since the concept is the same. Then I don't have to try and get cgi working in chroot or how I'm going to get the reverse proxy working and other things in chroot. Though the thought of chroot with virtual hosts seems nice and then I wouldn't have so many instances of Apache. Though I could do that in a single jail. Just want the ulimate in security for the web sites.
Thank you for your help. I appreciated it. |
|
|||
I'm not sure if you're aware, but chroot(2) is not something that's only available on OpenBSD.. it is a standardized functionally that all POSIX/Unix-alikes support.
Unlike many other systems, OpenBSD makes use of this feature extensively.. most daemons additionally drop root privileges early on during initialization, reducing the blow to the rest of the system. The ultimate security for hosting multiple sites is.. multiple servers, that's physical security.. if however you prefer to keep things centralized.. you must realize that compromises may happen eventually, having a good recovery policy in place is just good thinking, making things difficult for the said attacker is just icing on the cake. You have already been told that OpenBSD does not support jails, this is because it's an extensive modification.. it touches practically every part of the system.. and nobody can guarantee that they are impenetrable or invulnerable to attack. If you believe that jails are a requirement for your setup, then continue using FreeBSD.. but respect that privileged separation, chroot(2) and wise ass thinking is good enough for some people. |
Tags |
chroot, jail, priviledge separation |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Jails for OpenBSD | gpatrick | OpenBSD Security | 12 | 20th November 2009 03:44 AM |
chroot jail FreeBSD "su: who are you?" | Dr_Death_UAE | FreeBSD Security | 0 | 27th May 2009 07:51 AM |
Chroot web-browsing | Oko | OpenBSD Security | 1 | 29th December 2008 01:37 PM |
Updating FreeBSD Jails after rebuilding world on host | anomie | Guides | 0 | 10th September 2008 03:23 AM |
scponly not working with chroot | hamba | FreeBSD Security | 3 | 15th May 2008 05:18 PM |