C chroot() and setuid() sandboxing

I'm looking into different security models that are lightweight.

Let's say I have a readonly web service that takes a folder of markdown files and serves them up as HTML.

It gets launched as root and binds to port 8080.

It then chroots() to the markdown file folder and does setuid (65534) (nobody user on BSD and Linux as far as I can tell).

Then let's say another service, nginx, also uses the nobody user.

Is there any drawback between using the same UID between two different chroots? Or should the UID be different?

On BSD and Linux, if I try to kill a PID spawned by nobody from a chroot with nobody, if it's a SIGKILL it terminates the calling process instead of the one it's targeting. So if every sandbox process utilized nobody, and sat in different chroots, there should be no drawback, right? I don't want the different processes to be able to collude as nobody to do anything nefarious, nor to able to kill eachother. It should act as if they are different users.

I know Capsicum is a better solution much of the time, but isn't always available and solves different things.

I used to think random UIDs would be way to go, but I am starting to think that isn't necessary.
 
That's more to manage and more overhead. Jails are great, but if I can avoid using them for some applications, it's easier. Especially for something that doesn't do any writes.

I think in this case there may be no security advantage. I'd like to know if I'm mistaken.
 
chroot is good. Running as a least privileged uid also good. What about IPC pipes? Or TCP/UDP?

At a minimum you'd need capsicum to plug any holes that remain.

Thing get more complicated when you want to shape how these processes interact with the host and each other. You can group related processes in the same jail and bring them up or down as one unit by starting/stopping the jail.

You can give some jails external network while other jails are limited to a private interface. Jails in the same (private) subnet can talk to each other.

If you're only worried about a single process - what you suggest is very good. The end user can decide to go the extra mile of running it inside a jail and what exotic pf / ipfw rules to apply.
 
Back
Top