Re: [Sks-devel] chrooting sks.

[Olaf Gellert]

A very late response due to a very long trip to
Down Under, but here you are:

address@hidden wrote:
> I've set up sks in a chroot under linux, and I was wondering if there
> are better ways of doing it:
> 
> * I compiled sks with -ccopt -static to get rid of the dynamic library
>   dependancies. This makes a porky binary, but who cares.  

Well, I do not really find it that difficult to
provide the necessary libraries in the chroot.
Just use "ldd" on the binaries and there you are.
In our chroot we are running not only sks but
postfix too with no worries.

> * I used chroot_safe[0] to start up a daemontools svscan inside the
>   chroot. chroot_safe is a step up from chroot, in that it does setgid()
>   and setgid(). 

We are using chrootuid for this purpose, it would be
very nice if SKS itself would have a feature to drop
it's root privileges (because it needs root privileges
if it should listen on port 80 (which in turn enables
users behind restrict firewalls to contact the key
server)).

> * I provided a statically linked "flog"[2] and set sks to log to stdout.
>    This provides a sane mechanism for log rotation. 

This seems to be an improvement to our log rotating right
now, thanx for the hint.

> Alas, that's a futile endevor, as the linux glibc developers have made
> it very difficult to make a statically linked binary that uses nss. To
> make sks able to resolve hostnames, I had to include /lib/libnss*, and
> lib/libc*, and lib/ld-linux*.

And maybe some config-files like /etc/nsswitch.conf
and /etc/resolv.conf...

> 2) Is it possible to get ocaml to link against something like dietlibc?
Good idea, unfortunately I have no experience with that.

Cheers,

 Olaf

-- 
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Consultant,                              Consulting GmbH
Phone: (+49) 0700 / PRESECURE           address@hidden

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet