Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Anders Bruun Olsen <anders@...>
Subject: Re: Advice about security solution
Date: Wed, 9 Nov 2005 22:16:39 +0100
On Wed, Nov 09, 2005 at 02:26:28PM -0600, Nathanael Hoyle wrote:
> > I use the default Gentoo accounts for daemons - fairly certain none of
> > them use "nobody". I may be wrong?
> Can't answer that question for all gentoo ebuilds.  There are probably
> some that do.  I haven't run all of the daemons that you are running,
> but rather than assume, check them out individually.  As one example, I
> was dismayed to realize when I emerged pdns that by default it just runs
> root.  I manually added a user and group for pdns and modified the
> config to run as those users after binding the port initially (since
> port 53 is priviledged).  I'd verify user id's for each daemon.

That's probably a very good idea.

> >>3) Chroot jail daemon processes wherever possible.
> > Hmm.. any good guides or pointers to get Apache, MySQL, Postfix,
> > Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in
> > jails?
> As another poster has mentioned, mod_chroot for apache is worth looking
> into.  rsyncd on gentoo comes with options to chroot in the conf.d as I
> recall.  Postfix is quite happy to chroot after setting a config option
> as long as the jail is set up properly.  The docs on postfix.org go into
> this setup pretty carefully.

Now that you mention it, I seem to recall actually having run rsyncd in
a chroot earlier. And for Postfix I'm gonna go run off to postfix.org
asap - or maybe that Postfix book I bought earlier this year has
something about that subject. It's the one by Patrick Koetter and Ralf
Hildebrandt and I seem to recall that they are very security concious.

> > That's a very good idea, only they still need to be able to start their
> > programs as they are used to. I can't seem to find jail-shell anywhere.
> > Is it just a concept for configuring i.e. Bash or is it actually
> > available somewhere?
> Googling "jail shell" turns up several different shells designed for this.

Of course, I should have tried thinking a little there - I'll go google
it :)

> Good luck,

Thank you.

-- 
Anders
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V
PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y?
------END GEEK CODE BLOCK------
PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0
-- 
gentoo-security@g.o mailing list


Replies:
Re: Advice about security solution
-- Nathanael Hoyle
References:
Advice about security solution
-- Anders Bruun Olsen
Re: Advice about security solution
-- Nathanael Hoyle
Re: Advice about security solution
-- Anders Bruun Olsen
Re: Advice about security solution
-- Nathanael Hoyle
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Advice about security solution
Next by thread:
Re: Advice about security solution
Previous by date:
Re: Advice about security solution
Next by date:
Re: Advice about security solution


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.