[openssl-users] Session params output fails via cron
Jakob Bohm
jb-openssl at wisemo.com
Mon Jan 7 21:51:01 UTC 2019
On 07/01/2019 22:26, Jordan Brown wrote:
> [ Off topic for OpenSSL... ]
>
> On 1/7/2019 8:06 AM, Jakob Bohm via openssl-users wrote:
>> A chroot with no other reason to open /dev/null should not contain that
>> file name, even on unix-like platforms (least privilege chroot design).
>
>
> There's always a first reason :-)
>
> But also: /dev/null is part of the definition of UNIX
> <http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap10.html#tag_10_01>.
> Programs have every right to expect that it will be there. Yes, you
> can build a chroot environment that doesn't include it... but then you
> can't complain when programs don't work in your environment. You can
> also build an environment that doesn't include system libraries, and
> there are reasons to do so, but few programs will work in it.
>
> Looking at Solaris, about 15% of the programs in /usr/bin and 5% of
> the libraries in /usr/lib have a reference to /dev/null.
>
>
The whole point of a chroot jail is to deny a program access to any
and all parts of Unix (and the local flavor) it won't need. For
example, most chroot jails remove /bin/ls, with ftp servers as the
major exception.
Thus /dev/null being part of UNIX/POSIX doesn't say anything about
its availability in chroot jails. Nor does it say anything about
its availability on non-unix platforms, many of which are explicitly
supported by the OpenSSL libraries.
For many programs, it is standard to chroot to a directory with
nothing or almost nothing after loading configuration files, code,
certificates etc. /var/empty and /var/www are common examples.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list