[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sks-devel] chrooting sks.
From: |
jack-sks-devel |
Subject: |
[Sks-devel] chrooting sks. |
Date: |
Thu, 30 Sep 2004 11:29:38 -0700 |
User-agent: |
Mutt/1.4.1i |
Hello,
I've set up sks in a chroot under linux, and I was wondering if there
are better ways of doing it:
* I compiled sks with -ccopt -static to get rid of the dynamic library
dependancies. This makes a porky binary, but who cares.
* I used chroot_safe[0] to start up a daemontools svscan inside the
chroot. chroot_safe is a step up from chroot, in that it does setgid()
and setgid().
* I provided a statically linked "supervise" for daemontools[1].
* I provided a statically linked "flog"[2] and set sks to log to stdout.
This provides a sane mechanism for log rotation.
* I provided a statically linked busybox[3] to provide a stripped down
shell(ash), and sleep to put in the run files to keep them from
cycling quickleya.
* I used a statically linked mail.remote from GNU mailutils[4] to
provide a facility to send mail.
The point of statically linking everything is that you don't need to put
all of the fscking dynamic libraries and cruft in the chroot.
Alas, that's a futile endevor, as the linux glibc developers have made
it very difficult to make a statically linked binary that uses nss. To
make sks able to resolve hostnames, I had to include /lib/libnss*, and
lib/libc*, and lib/ld-linux*.
I have a few things I'd like to clean up:
1) I don't like mail.remote from GNU mailutils. Is there something
better to use?
2) Is it possible to get ocaml to link against something like dietlibc?
Anyhow. I will continue to hack away at this, and update my freemind[5]
based brain-dump of sks admin[6]. Eventually, I'll incorperate the mind
map into the Documentation Wiki.
Cheers,
--Jack
[0] http://chrootsafe.sourceforge.net/
[1] http://cr.yp.to/daemontools.html . runit is probably fine, and you
have something against djb.
[2] http://oss.ezic.com/
[3] http://www.busybox.net/
[4] http://www.gnu.org/software/mailutils/
[5] http://freemind.sourceforge.net/
[6] http://mudshark.org/~jack/mm/sks.html
--
Jack (John) Cummings http://mudshark.org/jack
PGP fingerprint: 0774 D073 E386 B70B 6B16 2D2B 1DD8 F8B0 CCF0 FAEE
Now playing on Prime: Bitter & Twisted -- Amon Tobin
Now playing on Remedial: Old Love -- Eric Clapton
pgp0RcNFTlD98.pgp
Description: PGP signature
- [Sks-devel] chrooting sks.,
jack-sks-devel <=