Gentoo Archives: gentoo-security

From: Anders Bruun Olsen <anders@×××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Advice about security solution
Date: Wed, 09 Nov 2005 21:25:19
Message-Id: 20051109211639.GN14230@elmer.skumleren.net
In Reply to: Re: [gentoo-security] Advice about security solution by Nathanael Hoyle
On Wed, Nov 09, 2005 at 02:26:28PM -0600, Nathanael Hoyle wrote:
> > I use the default Gentoo accounts for daemons - fairly certain none of > > them use "nobody". I may be wrong? > Can't answer that question for all gentoo ebuilds. There are probably > some that do. I haven't run all of the daemons that you are running, > but rather than assume, check them out individually. As one example, I > was dismayed to realize when I emerged pdns that by default it just runs > root. I manually added a user and group for pdns and modified the > config to run as those users after binding the port initially (since > port 53 is priviledged). I'd verify user id's for each daemon.
That's probably a very good idea.
> >>3) Chroot jail daemon processes wherever possible. > > Hmm.. any good guides or pointers to get Apache, MySQL, Postfix, > > Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in > > jails? > As another poster has mentioned, mod_chroot for apache is worth looking > into. rsyncd on gentoo comes with options to chroot in the conf.d as I > recall. Postfix is quite happy to chroot after setting a config option > as long as the jail is set up properly. The docs on postfix.org go into > this setup pretty carefully.
Now that you mention it, I seem to recall actually having run rsyncd in a chroot earlier. And for Postfix I'm gonna go run off to postfix.org asap - or maybe that Postfix book I bought earlier this year has something about that subject. It's the one by Patrick Koetter and Ralf Hildebrandt and I seem to recall that they are very security concious.
> > That's a very good idea, only they still need to be able to start their > > programs as they are used to. I can't seem to find jail-shell anywhere. > > Is it just a concept for configuring i.e. Bash or is it actually > > available somewhere? > Googling "jail shell" turns up several different shells designed for this.
Of course, I should have tried thinking a little there - I'll go google it :)
> Good luck,
Thank you. -- Anders -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y? ------END GEEK CODE BLOCK------ PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0 -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Advice about security solution Nathanael Hoyle <nhoyle@××××××××××××.net>