#981 new enhancement

chroot support?

Reported by: ioerror Owned by: somebody
Priority: major Milestone: undecided
Component: code Version: 1.6.0
Keywords: security twisted chroot install Cc:
Launchpad Bug:


I'd like Tahoe to be forced chrooted after a certain run time (say, after start up as a storage node) - On a modern GRSec enabled Linux machine, it may provide a bit of defense in depth.

Change History (2)

comment:1 Changed at 2010-03-10T20:05:51Z by warner

FYI, I *think* that after tahoe's Node.startService is called, it shouldn't be touching anything outside of its basedir. (by that point, all python libraries should have been imported, random files like /etc/mime.types should have been read, and the Tahoe code itself never touches anything outside the basedir). It will need continued access to /dev/urandom, of course.

twistd has a --chroot argument which is worth exploring. I don't know when exactly it gets invoked, but it's probably the Right Way to do it, so if it doesn't work with --chroot, I'd be happy to try to fix tahoe to make it work.

comment:2 Changed at 2010-03-25T00:37:17Z by davidsarah

  • Keywords twisted chroot install added
  • Priority changed from minor to major
Note: See TracTickets for help on using tickets.