Security Concerns about the nsca daemon

[Andreas Ericsson]

Marc Haber wrote:
> On Wed, Feb 22, 2006 at 02:18:52PM +0100, Andreas Ericsson wrote:
> 
>>Marc Haber wrote:
>>
>>>On Wed, Feb 22, 2006 at 11:03:51AM +0100, Andreas Ericsson wrote:
>>>
>>>>Nothing prevents multiple daemons running in the same chroot() jail. The 
>>>>jail is still as secure as it would be if just one daemon was running 
>>>>inside it.
>>>
>>>That might be the case when the daemon can live with an empty chroot,
>>>which is only true if the daemon can chroot itself. As soon as we need
>>>external chroot techniques (which might be the case for third-party
>>>daemons, not the patched nsca), the chroot needs contents, and then it
>>>would be desireable to have one chroot per daemon.
>>>
>>
>>In that case I'd argue setting up /jail with a full environment in it 
>>and include an empty directory where Nagios will create its command-fifo.
> 
> 
> Doesn't scale in cases were multiple jails are needed,


Yes it does. Multiple daemons can share the same jail. It should 
ofcourse be mounted readonly or with as few permissions as possible.


> and I don't
> like the idea of chroot-in-chroot. Mucho ugly.
> 

It wouldn't exactly be that. nsca can chroot from the original environment.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642