Linux Magazine: Go Directly to Jail
Mar 05, 2003, 07:00 (2 Talkback[s])
(Other stories by Steve Fried)
"'Security' is one of those 'buzzwords du jour,' and there seems
to be as many approaches to security as there are opinions on
Microsoft. However, unlike other hot topics (or 'CEO hot buttons')
that come and go, effort spent on security almost always pays off.
Moreover, having a multitude of security techniques is a very good
thing. There are umpteen ways to hack a system, and the savvy
system administrator maintains a substantial and varied arsenal of
countermeasures. Firewalls, honey pots, intrusion detection, and
SSH are just a few tricks of the Linux security trade.
"Application jails, also known as 'change root jails' or 'chroot
jails,' are another effective countermeasure. Supported by all
Linux and Unix systems, application jails put up a nearly
impenetrable barrier between the 'jailed' software and the rest of
the system. And because a jail is enforced by the operating system
and not by an application, it can provide an enormous level of
safety. A chroot jail 'incarcerates' untrusted applications, and
acts like a guard, almost literally, for applications that already
have substantial security measures built-in.
"This month, let's learn about jails. Let's throw an application
into 'solitary,' and make it a model citizen..."