On Wed, Nov 09, 2005 at 02:26:28PM -0600, Nathanael Hoyle wrote:
> > I use the default Gentoo accounts for daemons - fairly certain none of
> > them use "nobody". I may be wrong?
> Can't answer that question for all gentoo ebuilds. There are probably
> some that do. I haven't run all of the daemons that you are running,
> but rather than assume, check them out individually. As one example, I
> was dismayed to realize when I emerged pdns that by default it just runs
> root. I manually added a user and group for pdns and modified the
> config to run as those users after binding the port initially (since
> port 53 is priviledged). I'd verify user id's for each daemon.
That's probably a very good idea.
> >>3) Chroot jail daemon processes wherever possible.
> > Hmm.. any good guides or pointers to get Apache, MySQL, Postfix,
> > Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in
> > jails?
> As another poster has mentioned, mod_chroot for apache is worth looking
> into. rsyncd on gentoo comes with options to chroot in the conf.d as I
> recall. Postfix is quite happy to chroot after setting a config option
> as long as the jail is set up properly. The docs on postfix.org go into
> this setup pretty carefully.
Now that you mention it, I seem to recall actually having run rsyncd in
a chroot earlier. And for Postfix I'm gonna go run off to postfix.org
asap - or maybe that Postfix book I bought earlier this year has
something about that subject. It's the one by Patrick Koetter and Ralf
Hildebrandt and I seem to recall that they are very security concious.
> > That's a very good idea, only they still need to be able to start their
> > programs as they are used to. I can't seem to find jail-shell anywhere.
> > Is it just a concept for configuring i.e. Bash or is it actually
> > available somewhere?
> Googling "jail shell" turns up several different shells designed for this.
Of course, I should have tried thinking a little there - I'll go google
> Good luck,
-----BEGIN GEEK CODE BLOCK-----
GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V
PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y?
------END GEEK CODE BLOCK------
firstname.lastname@example.org mailing list