From: Andrew S (wkdpanda2@hotmail.com)
Date: Mon Aug 22 2005 - 13:41:05 EDT
I just went through the process of jailing iPlanet via chroot on a Solaris 9
system.
Getting it to run was a pain going through trace files, until I had all the
libraries and such in the jail.
However, the real pain was that iPlanet kept wanting to access the /proc
directory. Indeed, the lwp that iPlanet uses for listeners would exit,
sending a SIGCHLD to the parent, killing the webserver immediately after
start. The only way to get the server to run, was to mount /proc a second
time, in the jail.
/sbin/mount -F proc /proc /www/jail/proc
Now, the big question - how long will it work? Will the Solaris 9 kernel
handle the proc filesystem mounted more than once? If someone breaks the
webserver, they should be an unpriviledged user. They shouldn't have access
to most things in proc, but how much damage could they do?
I know that if there is a root exploit in the jail, things could get bad,
but there isn't much in the jail for them to use.
What does everyone else think about this?
-Andrew