[Apparmor-general] profile for proftpd and chrooted users
Crispin Cowan
crispin at novell.com
Mon Jul 30 06:16:09 MDT 2007
Dieter Bloms wrote:
> On Mon, Jul 30, Crispin Cowan wrote:
>
>> Dieter Bloms wrote:
>>
>>> does it make sense to write a profile for proftpd with chrooted users ?
>>> I asked because the users get a chroot directory and I have to allow
>>> access to / with lrw permissions.
>>>
>> Wait for openSUSE 10.3. It should include a feature enhancement so that
>> the paths used by AppArmor will be absolute with respect to the name
>> space, rather than the chroot jail. With this feature in place, AppArmor
>> profiles composed with chroot jails will be more secure than either one
>> alone.
>>
> we use SLES9 and SLES10; will this enhancement go into the SLES version,
> or are there other options for me ?
>
It is a new kernel module, likely not compatible with your SLES10
kernel. It will very likely be in SLES11, and may be in SLES10SP2.
None of which helps you in the near term :( It is always of *some
benefit* to confine a program with AppArmor, because it restricts the
set of files the program can access to some subset of what it could
access before. The question is whether the security benefit, to you, is
worth the effort, to you. You are right that granting access to / for a
chrooted application is less than wonderful, which is why we are
changing it.
To make the profile more secure, you can ensure that all the pathnames
granted inside the chroot jail are paths that do not exist in the outer
/ directory. Doing this, your profile would have entries like
"/cj/home/**" instead of "/home/**" so if the attacker can escape the
chroot jail, the profile blocks them from doing anything. Your software
(proftpd) may or may not permit this configuration.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
AppArmor Chat: irc.oftc.net/#apparmor
More information about the Apparmor-general
mailing list