[openssl-users] Session params output fails via cron

Jakob Bohm jb-openssl at wisemo.com
Mon Jan 7 21:51:01 UTC 2019


On 07/01/2019 22:26, Jordan Brown wrote:
> [ Off topic for OpenSSL... ]
>
> On 1/7/2019 8:06 AM, Jakob Bohm via openssl-users wrote:
>> A chroot with no other reason to open /dev/null should not contain that
>> file name, even on unix-like platforms (least privilege chroot design).
>
>
> There's always a first reason :-)
>
> But also:  /dev/null is part of the definition of UNIX 
> <http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap10.html#tag_10_01>.  
> Programs have every right to expect that it will be there.  Yes, you 
> can build a chroot environment that doesn't include it... but then you 
> can't complain when programs don't work in your environment.  You can 
> also build an environment that doesn't include system libraries, and 
> there are reasons to do so, but few programs will work in it.
>
> Looking at Solaris, about 15% of the programs in /usr/bin and 5% of 
> the libraries in /usr/lib have a reference to /dev/null.
>
>
The whole point of a chroot jail is to deny a program access to any
and all parts of Unix (and the local flavor) it won't need.  For
example, most chroot jails remove /bin/ls, with ftp servers as the
major exception.

Thus /dev/null being part of UNIX/POSIX doesn't say anything about
its availability in chroot jails. Nor does it say anything about
its availability on non-unix platforms, many of which are explicitly
supported by the OpenSSL libraries.

For many programs, it is standard to chroot to a directory with
nothing or almost nothing after loading configuration files, code,
certificates etc. /var/empty and /var/www are common examples.


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list