chrooting/jailing daemons

[Soybomb]

So what is everyone's stance on chrooting daemons on their boxes. As I find myself watching a greater number of boxes and services I find myself less willing to go to the trouble of doing so. Its certainly nice security wise to have done, but taking away my ability to use tools like portupgrade to just download and install an update and be done with it in a hurry certainly detracts from the practice. Do you jail?

 

[chsh1ca]

Yep, I jail, but if it's getting out of hand maintenance-wise I can see the alternate point. Really though, you can avoid jailing if you properly secure the machine from the start (setting up daemon user accounts, running them as non-root, etc). I'd recommend that approach if you're finding the maintenance to be a real pain.

 

[Workin']

I only chroot ftp. Everything else uses their own security settings.

 

[Barnaby W. Füi]

I chroot bind 9 for dns, and it works like a champ. I can see how it might be a pain to do updates, but I'm sure you could just script it.

 

[Buddha Bart]

i'd rather be able to patch fast (read "up2date-nox -u" or apt-get update/upgrade) than have a vulnerability that I know won't hurt me too bad, and will take me 15 - 30 minutes to upgrade.

 

[Nothinman]

I generally don't worry about it because most of the services I run aren't exposed to the Internet.