Ubuntu QA:
BlogBrainstormPackage status
Log in
Ubuntu QA
The Ubuntu community has contributed 22700 ideas, 138270 comments, 2629576 votes
Idea sandbox Idea sandbox
Popular ideas Popular ideas
Ideas in development Ideas in development
Implemented ideas Implemented ideas
Idea #14445: major services run chrooted or in openvz

Written by mitya the 16 Oct 08 at 03:06. Category: Server. Related project: Nothing/Others. Status: New
Rationale
Hi all.

I think that all major services — Apache, Postfix, Exim, OpenLDAP, ntp, jabber server, SQL servers etc. — must be run in chrooted environments right out of the box.

Mail and web servers may be run in separate OpenVZ containers for better security.

3
votes
up equal down
Solution #1: Auto-generated solution of idea #14445
Written by mitya the 16 Oct 08 at 03:06.
Ubuntu Brainstorm was updated in January 2009. Since the idea #14445 was submitted before this update, its rationale and solution are not separated. Please vote accordingly, and if you have the necessary rights, please separate the rationale from the solution. Thanks!

Propose your solution

Attachments
No attachments.


Duplicates


Comments
Eldmannen wrote on the 16 Oct 08 at 07:43
This is an interesting idea.

Yes, running daemons in some kind of protected environment would be nice (in terms of security).

viraptor wrote on the 16 Oct 08 at 10:53
Chroot'ed daemon is more convenient to work with, but it *does not improve security* unless it drops privs just after starting - most daemons can't do that obviously, because they need root to work correctly.
http://kerneltrap.org/Linux/Abusing_chroot

Eldmannen wrote on the 16 Oct 08 at 12:50
People interested in this idea, might want to see my idea;
* http://brainstorm.ubuntu.com/idea/1469/

mitya wrote on the 16 Oct 08 at 16:52
Looks similar, but I talk about network servers (mail, web, ntp) only.

The sandbox is suitable for complex projects like OOO, Konqueror, JVMs — programs that can execute potentially dangerous pieces of code (macroses, Javascript and so on).

viraptor wrote on the 16 Oct 08 at 17:35
What would really help (wrt security) is adding more apparmor configurations to the distro. That system is already implemented and doesn't need any changes to the packages layout.

andruk (Idea reviewer) wrote on the 16 Oct 08 at 19:35
Good idea if it's possible.

+1

hspaans wrote on the 27 Oct 08 at 13:00
-1 This is an issue that can only be solved with something like AppArmor or SELinux and not a chroot.

mitya wrote on the 1 Nov 08 at 10:22
hspaans, have you ever heard about FreeBSD jails?


Post your comment