[Sks-devel] chrooting sks.

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] chrooting sks.

From:	jack-sks-devel
Subject:	[Sks-devel] chrooting sks.
Date:	Thu, 30 Sep 2004 11:29:38 -0700
User-agent:	Mutt/1.4.1i

Hello, 

I've set up sks in a chroot under linux, and I was wondering if there
are better ways of doing it:

* I compiled sks with -ccopt -static to get rid of the dynamic library
  dependancies. This makes a porky binary, but who cares.  

* I used chroot_safe[0] to start up a daemontools svscan inside the
  chroot. chroot_safe is a step up from chroot, in that it does setgid()
  and setgid(). 

* I provided a statically linked "supervise" for daemontools[1]. 

* I provided a statically linked "flog"[2] and set sks to log to stdout.
   This provides a sane mechanism for log rotation. 

* I provided a statically linked busybox[3] to provide a stripped down
  shell(ash), and sleep to put in the run files to keep them from
  cycling quickleya.

* I used a statically linked mail.remote from GNU mailutils[4] to
  provide a facility to send mail. 

The point of statically linking everything is that you don't need to put
all of the fscking dynamic libraries and cruft in the chroot. 

Alas, that's a futile endevor, as the linux glibc developers have made
it very difficult to make a statically linked binary that uses nss. To
make sks able to resolve hostnames, I had to include /lib/libnss*, and
lib/libc*, and lib/ld-linux*.

I have a few things I'd like to clean up:

1) I don't like mail.remote from GNU mailutils. Is there something
   better to use?

2) Is it possible to get ocaml to link against something like dietlibc?

Anyhow. I will continue to hack away at this, and update my freemind[5]
based brain-dump of sks admin[6]. Eventually, I'll incorperate the mind
map into the Documentation Wiki. 

Cheers, 

--Jack 

[0] http://chrootsafe.sourceforge.net/
[1] http://cr.yp.to/daemontools.html . runit is probably fine, and you
have something against djb.
[2] http://oss.ezic.com/
[3] http://www.busybox.net/
[4] http://www.gnu.org/software/mailutils/
[5] http://freemind.sourceforge.net/
[6] http://mudshark.org/~jack/mm/sks.html

--
Jack (John) Cummings                       http://mudshark.org/jack 
PGP fingerprint: 0774 D073 E386 B70B 6B16  2D2B 1DD8 F8B0 CCF0 FAEE
Now playing on Prime:    Bitter & Twisted -- Amon Tobin
Now playing on Remedial: Old Love -- Eric Clapton

pgp0RcNFTlD98.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] chrooting sks., jack-sks-devel <=
- Re: [Sks-devel] chrooting sks., Chris Kuethe, 2004/09/30
  - Re: [Sks-devel] chrooting sks., Yaron Minsky, 2004/09/30

Prev by Date: Re: [Sks-devel] another bounds problem in SKS
Next by Date: Re: [Sks-devel] chrooting sks.
Previous by thread: [Sks-devel] another bounds problem in SKS
Next by thread: Re: [Sks-devel] chrooting sks.
Index(es):
- Date
- Thread