headers
Brian Koontz | 10 May 2009 03:05

Running buckd in a chroot jail?

I've got buckd successfully running in a chroot jail.  This is the
relevant portion of my xinetd.conf file:

# added by Bucktooth install
service buckd
{
        type                    = UNLISTED
        protocol                = tcp
        port                    = 70
        flags                   = REUSE
        socket_type             = stream
        wait                    = no
        instances               = UNLIMITED
        user                    = root
#        server                  = /chroot/buckd/usr/local/bin/buckd
        server                  = /usr/sbin/chroot
        server_args             = /chroot/buckd/ /usr/local/bin/buckd

}

The obvious problem here is that buckd is running as root (because
chroot must be invoked as root).  From what I understand, it's still
possible to break out of a chroot jail as root.  Is there a way for me
to set this up so buckd runs under a non-root user?

  --Brian
Permalink | Reply | 2 comments |
headers
Brian Koontz | 10 May 2009 03:42

Re: Running buckd in a chroot jail?

OK, here's take two, using jailkit (http://olivier.sessink.nl/jailkit):

# added by Bucktooth install
service buckd
{
        type                    = UNLISTED
        protocol                = tcp
        port                    = 70
        flags                   = REUSE
        socket_type             = stream
        wait                    = no
        instances               = UNLIMITED
        user                    = root
        server                  = /usr/sbin/jk_chrootlaunch
        server_args             = -j /chroot/buckd -x /chroot/buckd/usr/local/bin/buckd --user gopher --group gopher
}

Does anybody see any glaring security issues with this?  buckd does
indeed seem to be running under user "gopher" when port 70 is
accessed:

gopher   23883  0.0  0.8  82332  2340 ?        Ss   02:40   0:00 /usr/bin/perl -s usr/local/bin/buckd

  --Brian

On Sat, May 09, 2009 at 08:05:03PM -0500, Brian Koontz wrote:
> I've got buckd successfully running in a chroot jail.  This is the
> relevant portion of my xinetd.conf file:
> 
> # added by Bucktooth install
(Continue reading)

Permalink | Reply | 1 comment |
headers
Cameron Kaiser | 10 May 2009 05:50
Favicon

Re: Running buckd in a chroot jail?

> Does anybody see any glaring security issues with this?  buckd does
> indeed seem to be running under user "gopher" when port 70 is
> accessed:

No, that looks right. I might go play with this later, possibly add it
as an officially supported option (or simply support chroot internally).

--

-- 
------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser@...
-- Innovation is hard to schedule. -- Dan Fylstra -----------------------------
Permalink | Reply | 0 comments |
headers
Peter Tynan | 28 May 2009 03:50
Picon
Favicon

only2clicks.com

It is nice to find a service that allows links to gopher sites so I
thought I would share...

I've recently be having a play with the on-line bookmarking service
provided by only2clicks.com and much to my surprise it allows gopher
links. So you can see what I'm talking about I've made my FOSS folder
public at http://www.only2clicks.com/pages/frood/221744 - if you visit
you will notice a working link to the Floodgap gopher server (not the
http proxy).

It does not automatically import an image for gopher links but it does
have a facility to upload your own images.

Peter

--

-- 
(\__/)
(='.'=) This is Bunny. Copy and paste Bunny into your
(")_(") signature to help him gain world domination.

gopher://sdf.lonestar.org/11/users/happy
Permalink | Reply | 1 comment |
headers
Cameron Kaiser | 28 May 2009 04:02
Favicon

Re: only2clicks.com

> It is nice to find a service that allows links to gopher sites so I
> thought I would share...

Nice indeed. Now we need to get one of those URL shorteners to pay ball.
Anyone found one yet?

--

-- 
------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser@...
-- Well done is better than well said. -- Benjamin Franklin -------------------
Permalink | Reply | 0 comments |

Gmane