Process separation on an OpenBSD server

Question

I fear this may be a somewhat open-ended question that gets closed: Apologies in advance, but I'll give it a shot!

I'm considering operating an OpenBSD VM with a number of services running on the same instance (SSH, IMAP, SMTP, some HTTP server and VPN). Should I sandbox these daemons, some how (e.g., chroot jails), to ensure they don't interfere with each other, or is the OpenBSD/POSIX model already sufficient? Is there anything else I should be aware of?

Related: https://serverfault.com/questions/307641/bind9-in-a-chroot-jail-necessary-or-not — Deer Hunter, Apr 30 '15 at 10:14
So it sounds like minimising attack surface using chroots for services (which are run as their own user, rather than root) is generally a good idea... — Xophmeister, Apr 30 '15 at 11:12

score 0 · Answer 1 · answered Apr 30 '15 at 19:47

0

Most of OpenBSD’s internal daemons are already privilege separated and chrooted.

answered Apr 30 '15 at 19:47

Bink

193
5

Although this answer is short, it is not low quality. – peterh Apr 30 '15 at 21:03

Process separation on an OpenBSD server

1 Answers1