From: Vlad (vlad_at_vlad.net)
Date: Thu 14 Feb 2002 - 15:06:54 GMT
I think thats the basis for chroot - it binds the new context to an ip
address... otherwise you might as well just set up a generic chroot for
each service..
What you can try and do is create your vservers in private address space
(192.168, 10.0.) and then do port forwards from the 1 real ip address..
-Vlad
On 14 Feb 2002, klavs klavsen wrote:
> Hi guys,
>
> I need to install and maintain 6 kind of servers.
>
> 1, with samba and openldap, 1 with Postfix, courier-imap, OpenLdap and
> Apache and so forth.
>
> what i wanted to do, is to have them all installed on 1 physical
> machine, under each vserver.
>
> I was thinking, that it would be a good idea to chroot each service on
> each server, so that a vulnerability in one, doesn't put the other
> services on that machine in danger. Unfortunately chroot is not safe
> (see earlier mail on this list).
>
> I've read the docs on the site, but it's not really clear to me if can
> do this, and how this compares to doing the same with chroot (except for
> the fact that chroot is not safe and vserver is :-)
>
> My questions therefore are these:
>
> Can I "chroot" each service on each vserver - without having to create a
> new vserver (with a new IP) for each service?
>
> In the case of postfix and courier-imap can two "chroot" jails share the
> same files (the maildir)?
>
> A final question, if I install ssh on each vserver - and the services
> are chrooted - will the ssh-users still be able to configure them? -
> they would with a normal chroot, so that shouldn't be a problem?
>
>