/dev/random and chroot jail

Similar Messages

• About chroot jails and ACL

  I want to run rtorrent in a chroot jail. Correct me if wrong, but jailing rtorrent would consume much more RAM cause rtorrent will not use libraries that it needs and may be already in memory.
  So I wonder, why people just don't create a new user, install ACL, block everything to that user but read access to /lib and some config files, and execute permission to only the needed binaries. It would be easy to do since as I understand if you block all /bin permissions to the restricted user, all future files there will inherit those permissions. The only problem I see is that if you update, you will have to set some permissions again, easily fixed with a script. ACL seems much more easier to setup than chroot jails!
  When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
  So, why is it that people seem to prefer chroot jails? Does installing ACL has some kind of performance penalty?

  _Mike_ wrote:Does installing ACL has some kind of performance penalty?
  Do you mean Mandatory Access Control? Filesystem ACL is already installed on every Linux system.
  When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
  Chroot jails were not created to be used as a security tool and are very easy to break out of. Filesystem ACL is very limited in scope and also provides little security.
  You might want to look into using Mandatory Access Control (MAC) which is available with TOMOYO Linux, AppArmor, SELinux or SMACK. SELinux is the most powerful, but will take a long time to master. TOMOYO Linux is easier to use and the relevant packages are already in [community]. See the wiki page for more information.
  All MAC implementations have a small degree of performance penalty. SELinux probably has the greatest penalty, but overall you probably won't notice anything with any of the implementations.
  Last edited by jnguyen (2011-04-13 06:48:36)

• [solved] nginx chroot jail: open() "/run/nginx.pid" Permission denied

  I used the perl script from the nginx wiki to configure chroot jail and also configured the nginx systemd unit file. When I try to start the service I get
  # systemctl start nginx
  Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
  # systemctl status nginx.service
  nginx.service - A high performance web server and a reverse proxy server in chroot jail
  Loaded: loaded (/etc/systemd/system/nginx.service; enabled)
  Active: failed (Result: exit-code) since tis 2013-05-07 20:58:49 CEST; 4s ago
  Process: 418 ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g pid /run/nginx.pid; daemon on; master_process on; (code=exited
  , status=1/FAILURE)
  Executing the ExecStartPre line produces the open error.
  # /usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
  nginx: [emerg] open() "/run/nginx.pid" failed (13: Permission denied)
  What could be causing this?
  Here's my nginx.service
  # cat /etc/systemd/system/nginx.service
  [Unit]
  Description=A high performance web server and a reverse proxy server in chroot jail
  After=syslog.target network.target
  [Service]
  Type=forking
  PIDFile=/srv/http/run/nginx.pid
  ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
  ExecStart=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
  ExecReload=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
  ExecStop=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit
  [Install]
  WantedBy=multi-user.target
  /srv/http/run
  # ls -ahl /srv/http/run/
  totalt 8,0K
  drwxr-xr-x 2 root root 4,0K 7 maj 20.53 ./
  dr-x--x--x 9 root root 4,0K 7 maj 20.16 ../
  -rw-r--r-- 1 root root 0 7 maj 20.53 nginx.pid
  edit:
  # chroot --userspec http:http /srv/http /usr/sbin/nginx
  nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
  I tried to change the port to 8080 and got
  # chroot --userspec http:http /srv/http /usr/sbin/nginx
  nginx: [emerg] open("/dev/null") failed (13: Permission denied)
  solution:
  The problem was due to the partition being mounted nodev,nosuid.
  Last edited by seron (2013-05-08 11:25:12)

  I know this post is quite old but I wanted to say thank you to the author that you posted this solution. THANKS!!!

• How to setup /dev/random to SSL seed no. in JDK 1.4

  In order to speed up the SSL encryption and reduce CPU resources in WebServer, pls let us how to setup/define the /dev/random for SSL seed no in JDK 1.4 on Solaris 8 (Latest Patch).
  Current Setup:
  H/W:
  + Sun V880 with 2 x 1.2GHz US-III CPU, 2GB RAM
  S/W:
  + SunOne Web Server 6.1 SP1
  + Solaris 8 (latest patch) support /dev/random
  + JDK 1.4
  Rgds,
  William

  You may get a better response posting this question to one of the security forums, specifically:
  http://forum.java.sun.com/forum.jsp?forum=2
  http://forum.java.sun.com/forum.jsp?forum=60
  You could also try the App server product forum:
  http://swforum.sun.com/jive/category.jspa?categoryID=30

• Chroot-jail password problem

  I've got a running chroot-jail to allow semi-trusted users ssh-access to my webhosting server. The problem is that they can't change their passwords because `passwd` can't access files outside the chroot-jail (as it's suppose to be). I've read about someone solving this using nsswitch.conf and some sort of setup to make it possible for the users to change their passwords.
  The question is basically, how do I get around this problem, making it possible for the logged in users to change their own password?

  Oh what a tangled web we weave.  I read up on keychain and I don't understand what I'm reading.  Right now I cannot download my email on my computer, I can access it through the cloud. I'm sure it will be the same for the other iCloud feathers.   When I go to preferences and select iCloud when ever I try to sign in I get some dialog box it shows up "A keychain cannot be found to store 1076701306.  It doesn't matter whether I reset it or cancel it out iCloud preferences remains grayed out. 
  In keychain access on the left side under keychains and Read's local item, systems, and systems roots.
  When I select local items nothing shows up to the right under the name column even when down under all items is selected nothing shows up.  And nothing shows up to the right when under categories I selected the other options password etc.  On the other hand when I select under keychains systems, systems roots I do get items to show up on the right side under names under all items, passwords, etc.  Where do I start?

• MySQL, to chroot jail or not?

  I didn't know that it was ever considered to be worth it.  This is not a common practice, even in large firms I am not aware of anyone doing this. I saw not worth it.

  Hey Guys,
       We're moving to a new host for our VPS and it's a different OS, (Ubuntu, we're coming from CentOS). 
       On our previous server we chroot jailed mysqld. but now I've been doing some research and there's a bunch of people out there that say it's not even worth it to do it anymore.
       Do you guys think this is true? Should I waste my time setting up the chroot jail? or should I just install it like any other application on the server base?
  This topic first appeared in the Spiceworks Community

• SFTP only access in chrooted jail?

  Hi
  I'm trying to make it so a user only has sftp access in a chrooted jail.
  I've tried following a couple walkthroughs with no success
  http://www.macresearch.org/restricted-sftp-mac-os-x-leopard
  http://www.debian-administration.org/articles/590
  This is 10.6.2 Server.
  I created my user and ran the following steps as root.
  chmod g-w /
  chmod g-w /Volumes/HD
  chown root /Volumes/HD
  mkdir /Volumes/HD/user_dir
  chown user /Volumes/HD/user_dir
  chmod 700 /Volumes/HD/user_dir
  I've added this to my sshd.config file:
  # override default of no subsystems
  #Subsystem sftp /usr/libexec/sftp-server
  Subsystem sftp internal-sftp
  Match User user
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /Volumes/HD
  ForceCommand internal-sftp
  Here is what I get when I try to ssh or sftp:
  sftp user@localhost
  Connecting to localhost...
  Password:
  Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
  Connection closed
  Any helps is greatly appreciated.
  Thanks.

  hmmm strange. think i figured it out.
  finall went with
  Subsystem sftp internal-sftp
  Match User user
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /chroot
  ForceCommand internal-sftp
  create a new dir chroot and another dir inside it.
  the Chroot must be own by root and groups or other cannot have write access to any of it.
  the dir i created inside chroot is chmod 700 and owned by my user.
  it looks like because ChrootDirectory must have the directory own by root and unwritable by others, you can't direct your user directly to their locked down dir. they must sftp in to chroot then cd to their folder.
  not sure how to get around this.

• /dev/random on Ivy Bridge CPU

  Hello,
  I have a Sandy Bridge instead of an Ivy Bridge CPU. Ivy Bridge has a new instruction for true random number generation at 500 Mbit/s.
  If I type cat /dev/random, it only shows a few lines of random characters, increasing a bit if I move the mouse.
  I'm curious, if you own an Ivy Bridge CPU, does /dev/random make use of it and spit out lots of random data very fast?
  So please do an experiment for me, if you are using Linux on an Ivy Bridge CPU: Please let me know how much output "cat /dev/random" gives for you
  (Note: NOT /dev/urandom!!).
  In other words I'm just curious if Linux makes use of that potential, or if it only uses mouse movement and networking and stuff.
  Thanks.
  Last edited by aardwolf (2013-06-10 15:43:50)

  When I use rng-tools, and rngd.service is running, /dev/random is crazy.  But like you I get about five random lines if it is not running.
  Edit: BTW, I don't have a /dev/hw_random or a /dev/hwrandom.
  Last edited by WonderWoofy (2013-06-10 21:27:52)

• Dunning report difference in dev,testing and prod server in sap

  Hi all..
  we are facing a problem while executing the tcode f150 in dev,tsting and production server.
  while giving the same run on and identification,the different parameters are coming and the status is geting changed.
  in ker,the process is getting compelted,in testing the process is getting sceduled,complete but getting the status as"process completed but job deleted".
  and in production,the status like testing server is coming but some tabs(from the too bar where delete,etc lies)are not getting to see,its not showing up.
  please tell me if we can check it through some tcodes,or eliminate the eorr.
  we are not able to locate the cause behind.thanks in adv.

  Hi chandu,
  In my previous Organisation we got exactly the same landscape for BW as you described.BCS(BAYER COPSCIENCE LTD) operates a BW System Landscape with one centralized  Global Development System and three regional Quality Assurance and Production Systems located in Europe, Asia Pacific and Americas. This Landscape is to ensure consistent data models to be available in all regional systems as well as to minimize development efforts and make use of respective synergies.
  This is perfectly working  for BCS ,and I think, this is the most approriate way of handling of resources.
  Regards
  CSM Reddy

• IPhone 4s Voice Memo App has 5 second delay when the record button is pressed. When it starts recording, it goes from 0 seconds to 5 or so seconds recorded. This happens randomly and often and sometimes has the delay but starts at zero. Solution Anyone?

  After iOS 7 update, my iPhone 4s Voice Memo App has 5 second delay when the record button is pressed. When it starts recording, it goes from 0 seconds to 5 or so seconds that it shows has recorded. This happens randomly and often, sometimes it will have the 5+ second delay but starts recording at zero seconds. Besides the delay it has been working fine as far as saving and playback is concerned. I have plenty of storage on the phone itself and it NEVER had this problem before I updated to iOS 7. I've reset the phone a couple times by holding down the power and home buttons at the same time. The reason I have an issue with this is that I'm always recording song ideas, melodies, and scratch takes; what I'm saying is when I come up with an idea I need to be able to know that when I hit record it will start right then so I don't forget anything that has just popped in my mind.
  Does anyone have a solution or suggestion?
  Thanks

  After iOS 7 update, my iPhone 4s Voice Memo App has 5 second delay when the record button is pressed. When it starts recording, it goes from 0 seconds to 5 or so seconds that it shows has recorded. This happens randomly and often, sometimes it will have the 5+ second delay but starts recording at zero seconds. Besides the delay it has been working fine as far as saving and playback is concerned. I have plenty of storage on the phone itself and it NEVER had this problem before I updated to iOS 7. I've reset the phone a couple times by holding down the power and home buttons at the same time. The reason I have an issue with this is that I'm always recording song ideas, melodies, and scratch takes; what I'm saying is when I come up with an idea I need to be able to know that when I hit record it will start right then so I don't forget anything that has just popped in my mind.
  Does anyone have a solution or suggestion?
  Thanks

• My IPhone4 keeps buzzing randomly and now it wont even charge

  My IPhone4 keeps buzzing randomly and now it wont even charge !! Please "HELP"
  Info:
  IPhone 4
  Version : 5.1
  I was having this problem with the vibration IPhone keeps vibrating randomly with no notification don't know what's the problem with it !!
  And currently when I tried to charge it it wont charge I tried to do some research about this issue and have read some of the same problem
  here in the forum with same issue and done almost everything changed the cable , core , usb did the hard reset still nothing !!!
  Any idea would be appreciated . Thanks
  Updated:
  I discovered that its not a battery issue
  The reason is that it's chargeable while the phone is switched off completely !
  after a while you can see the battery charge is full 100%
  but when it's switched on the phone wont charge or recognized
  the cable from wall charger or usb so I the ITunes won't sync or see the device !
  I think its something with the software ! 
  I tried to update to IOS 5.1.1  but after downloading
  it wont install the new update I got this message;
  "Unable to Install Update"
  An error occurred installing IOS 5.1.1
  So that only chance which I think it might hwlp solving the problem is dead now
  I really have no idea what to do other than taking this phone to Apple 
  :If you have similar issue you can write here or you can check the following post
  https://plus.google.com/u/0/109937970144676369628/posts/Hrv43wnzREE
  keywords:
  IPhone keeps buzzing , IPhone4 keeps buzzing
  IPhone4 keeps vibrating , IPhone wont charge
  An error occurred installing , Unable to Install Update , 
  IPhone wont connect to iTunes .

  UPDATE: 2
  My IPhone4 keeps buzzing randomly and now it wont even charge !! Please "HELP"
  https://plus.google.com/u/0/109937970144676369628/posts/CrAi9u9PZz7
  https://plus.google.com/u/0/109937970144676369628/posts/Hrv43wnzREE
  https://plus.google.com/u/0/109937970144676369628/posts/a2TeUdCHoQs
  OK folks I started my deep research about this issue ( MY problem )
  Don't know if some one out there is even got similar issue
  The battery is charging well while my phone is switched off so last night
  my Iphone runs out of charge completely 0% so I plugged the cable
  and switch it on after a while and all the sudden it shows that the battery
  is charging while its switched on !!
  If you want to do this you have to plug the charging cable first then turn off
  your Iphone and wait for a while then  turn it back on ( sipmle off ) no need
  for the (Hard) Reset or recovery mode / DFU mode .
  Just as a normal way to of switching off your Iphone by
  Holding down the sleep/wake button at the top right-hand corner of the iPhone for a few seconds. 
  This will bring up a screen asking you to run the slider across the screen to turn off the iPhone.
  Wait few seconds and repeat that with holding that same sleep/wake button at the top right-hand corner for like a Sec and it will turn on , Then you can
  see that your phone is charging while its on !
  If you unplug your charging cable this will ruin the whole plan and if you
  you plug it again it wont show anything and will not be able to charge
  while its on and you have to repeat that procedure.
  Now we are sure that out Dock and Charging Port and battery are working fine , So whats the problem here and why my PC wont detect my Iphone ??
  Well I assume its from a part called ( PMU IC ) Power Management Unit IC
  http://www.buyforapple.com/product_images/j/iphone4_power_management_un__72870.j pg
  Check this out :
  http://youtu.be/MJPKuLy7XQQ
  So I think my main problem is from that tiny part that makes all that
  problem I have now so I have to replace it first just to make sure before
  replacing any other parts so this is the start I hope this was the problem
  that caused all this !!!
  If you have any similar issue to mine I really appreciate any advice ,
  suggestions regarding this matter .
  Thanks for reading
  Have a great time

• How to set up DEV, TEST and PROD environment?

  We have used BI publisher Enterprise (standalone), Oracle BI Publisher 10.1.3.4.1. Our admin set up DEV, TEST and PROD environment based on the folder. For example, there is DEV folder, TEST folder and PROD folder. Developer is developing reports under DEV folder. Under TEST and PROD folder, there are many sub-folder based on the login user role. Sometimes a report has to be assigned to a multiple sub-folder under PROD. So our admin create symbolic links in the Linux box which BI server is located. That way, if a report is updated, there is no need to update the report in all sub-folder.
  The issue I have is we are not allowed to touch any files under TEST/PROD folder. Only admin will move the report from DEV folder to TEST/PROD folder because those links admin created might be broken. However, as a developer, we still have permission to delete/rename/copy report under those restricted folders. Yesterday one report under PROD has been renamed by a developer. And admin complains because the links he has created not working anymore. Just wonder if admin doesn't allow developers to touch the reports under those folders, is there a way to remove the write permission on those folders? Also do you think this is a good practice to set up DEV, TESDT and PROD environment? Any input will be greatly appreciated.

  We have used BI publisher Enterprise (standalone), Oracle BI Publisher 10.1.3.4.1. Our admin set up DEV, TEST and PROD environment based on the folder. For example, there is DEV folder, TEST folder and PROD folder. Developer is developing reports under DEV folder. Under TEST and PROD folder, there are many sub-folder based on the login user role. Sometimes a report has to be assigned to a multiple sub-folder under PROD. So our admin create symbolic links in the Linux box which BI server is located. That way, if a report is updated, there is no need to update the report in all sub-folder.
  The issue I have is we are not allowed to touch any files under TEST/PROD folder. Only admin will move the report from DEV folder to TEST/PROD folder because those links admin created might be broken. However, as a developer, we still have permission to delete/rename/copy report under those restricted folders. Yesterday one report under PROD has been renamed by a developer. And admin complains because the links he has created not working anymore. Just wonder if admin doesn't allow developers to touch the reports under those folders, is there a way to remove the write permission on those folders? Also do you think this is a good practice to set up DEV, TESDT and PROD environment? Any input will be greatly appreciated.

• In SAP BW landscape we should have separate servers for DEV, QA and PROD

  Hi all,
  In SAP BW system landscape we should have separate servers for DEV, QA and PROD.
  whether one server is enough for DEV and we can use virtual servers to QA & PROD?
  Regards,
  chandu

  Hi chandu,
  In my previous Organisation we got exactly the same landscape for BW as you described.BCS(BAYER COPSCIENCE LTD) operates a BW System Landscape with one centralized  Global Development System and three regional Quality Assurance and Production Systems located in Europe, Asia Pacific and Americas. This Landscape is to ensure consistent data models to be available in all regional systems as well as to minimize development efforts and make use of respective synergies.
  This is perfectly working  for BCS ,and I think, this is the most approriate way of handling of resources.
  Regards
  CSM Reddy

• NO reviews are showen in dev center and on store app too.

  some of my frndz and downloaders installed my app on their phone .. but when they try to review the ratings and reviews are submitted but not shown on my dev center and store app reviews section.
  help me out from this.

  1. App Store>Featured (bottom of page)>Apple ID (at bottom of page)
  2. Tap on Apple ID>View Apple ID
  4. Enter your password
  5. Tap Country/Region
  6. Tap Change Country or Region
  http://i1224.photobucket.com/albums/ee374/Diavonex/Album%201/75705ca9af070c17ff3 275a04a88b9e2.jpg
  http://i1224.photobucket.com/albums/ee374/Diavonex/Album%201/b4cc71e8ada367a824a b7855351d6ae3.jpg

• What is the average duration of 1 full SAP life cycle or 1 end-to-end implementation. How long does it take to prepare DEV, QAS and PRD?

  What is the average duration of 1 full SAP life cycle or 1 end-to-end implementation. How long does it take to prepare DEV, QAS and PRD in any company?

  Anand,
  let me start with saying that the question you ask may not help you to determine the duration of your project. As Ryan and others stated the duration of the project is highly dependent on the scope of the solution you are implementing, geographical scope, amount of modifications/enhancements, number of languages, number of users that need to be trained, amount of standard processes customer is able to re-use in the implementation and many other factors (like quality of implementation contractor you will chose and availability of customer and implementors resources). I can probably go on for another couple lines, but I guess you get the idea.
  With that out of the way let's talk about some example implementations that will give you an idea - Ryan did great job outlining what I would call traditional approach above. I have couple examples where customers leveraged innovative deployment strategies that are available today. In particular the project teams leveraged pre-packaged services like RDS, World Template or Best Practices as their baseline solution and they built from there. Second acceleration technique customers now leverage is the deployment in the SAP HANA Enterprise Cloud to accelerate the time to initial setup of the system and thus move from traditional blueprinting to scope validation exercise that further shortens the time. There are other acceleration techniques we see applied in some cases like use of iterative implementation of the delta requirements on top of the baseline solution.
  Let me offer few examples to illustrate what I explained above:
  ERP implementation at Schaidt Innovations with 3 months long deployment of ERP solution using ERP RDS as a baseline (you can view their testimonial here - Schaidt Innovations: SAP ERP on HANA in the cloud - YouTube)
  Customer in Asia with global template deployment that leveraged SAP ERP for Manufacturing with deployment to cloud and 9 countries rollout (Japan, Korea, China, Taiwan, Hong Kong, UK, Germany and US). The initial deployment took 4 months for first country and 2 months for rollout into the additional 8 countries - so total of 6 months. The original plan using traditional approach with full blueprint and heavy configuration was estimated to be more than double of the actual deployment time.
  There are many other examples where customers follow the assemble-to-order delivery model for their project and gain significant benefits doing so. I suggest you to review some of the recordings we did in 2013 about this approach and if you are member of ASUG review the Agile ASAP sessions we did for ASUG PM SIG.
  Link to webinars: SAP A2O Webinar Series Schedule
  Let me know if you have any questions.
  Jan