Ok just a question here...

when you create a chroot you copy the libs to that sandbox.

however when you update applications it's upon the admin to remember to update those libs.

my question is.

can a person symlink or hardlink those libs/apps ? will a chroot follow those and what security mishaps may result in that?

symlink: no.
hardlink: yes, but only if the file is on the same filesystem (eg: /usr)

No security issues (unless you later goof up and update a binary to a flawed version, but that's no different from a separate copy).

Depending how you update it, you may inadvertantly break the link. Overwrites that involve opening the existing file for writing and then writing over it (possibly ftruncating it) are OK and preserve the hardlink. Some apps (eg tar --unlink) can unlink the file before writing it; that will cause the hardlink association to go away, necessitating that you remove the chroot'ed copy and re-link it.

You could automate all this with a script.

For symlink to work, you would have to place the original in the chroot and symlink from outside, as symlinks from inside a chroot to outside don't work.

Hard links should work, but can only exist on the same fs, so you're stuck with your libs and your chroots on the same fs. I like to separate my chroot partitions from others to prevent fs full problems. Also, if you use hardlinks and there exists a vulnerability that allows the attacker to write to any given file in the fs, then all programs that depend on that lib that are outside the chroot will also be affected.

I think your best bet is to leave the chroot libs separate and to instead write a script that updates those libs every night, if necessary. e.g.:
[code:1:02290ba3f2]
cd /var/www
for file in `find usr/ -type f `; do
if [ /$file -nt $file ]; then
cp /$file $file
fi
done
[/code:1:02290ba3f2]


it's upon the admin to remember to update those libs.


Bah. Sysadmin should only ever work once in the life of a server: when the server is being set up. Every future maintenance task should have been scripted right then.
Wish i was at that level...

Wow.... great responses guys.. i do appriciate this.

the only thing i noticed w/ the script that wont work..

any maybe you can help me figure this out.. is some binaries depend on libs in both /usr/lib and /usr/local/lib whenever i put them in /usr/local/lib it fails to see them and if i were to put them in /usr/lib it sees them just fine.. i'm assuming it's the path but where does a chroot get it's path env from?

Either copy over a good /var/run/ld.so.hints or set LD_LIBRARY_PATH when running your chrooted programs.

ldconfig(8) for more info.

works like a charm... thanks again... i owe you another beer