1 |
On Fri, 2003-07-18 at 02:54, Brandon Hale wrote: |
2 |
> On Thu, 2003-07-17 at 08:52, Alvaro Figueroa Cabezas wrote: |
3 |
> |
4 |
> > Well, it the idea is to harden boxes, this chroot flag should |
5 |
> > apply to every service thinkable... (And this is a _lot_ of work) |
6 |
|
7 |
Its not that bad really and has many usefull uses outside of security |
8 |
enviroments alone. |
9 |
|
10 |
> I can't argue with that, but the initial goal would be to harden a few |
11 |
> commonly used or notoriously insecure services. These include bind, ntpd |
12 |
> and apache to name a few. I am currently working with the bind ebuild to |
13 |
> adapt the chroot code to respect USE="chroot." |
14 |
|
15 |
I will support this flag and will help out where I can, perhaps adopting |
16 |
a script I've been using myself to chroot services on gentoo as an |
17 |
eclass http://dev.gentoo.org/~solar/gentoo.mkchroot. Then I/we should be |
18 |
able to take the acls generated from grsec in learning mode to create |
19 |
runtime package profiles which could be used to tell us what exactly |
20 |
needs be in our chroot jail. |
21 |
|
22 |
On another note I will be happy to pay the first person who codes |
23 |
sys_jail() for linux as a kernel patch 2 magic beans and a pocket full |
24 |
lint. |
25 |
|
26 |
> |
27 |
> > But is the idea is to really harden boxes, chroots should be forgoten, |
28 |
> > and capabilities applied :). |
29 |
> |
30 |
> I'm not sure what you mean by capabilities, but I received a similar |
31 |
> argument concerning SE Linux, whose superior security model negates the |
32 |
> usefulness of chroot'ing a service. However, SE Linux is currently |
33 |
> difficult to implement effectively and not a feasible choice for the |
34 |
> average sysadmin. Chroot'ing key services could be nicely complemented |
35 |
> by grsec's chroot hardening, and provide what I believe to be a workable |
36 |
> solution to increase security in Gentoo. |
37 |
> |
38 |
|
39 |
Capabilities are basicly a repartition of roots permissions. Here is the |
40 |
basic list of them |
41 |
http://www.gentoo.org/proj/en/hardened/capabilities.xml |
42 |
|
43 |
|
44 |
> |
45 |
> |
46 |
> -- |
47 |
> gentoo-dev@g.o mailing list |
48 |
-- |
49 |
Ned Ludd <solar@g.o> |
50 |
Gentoo Linux Developer (Hardened) |
51 |
|
52 |
|
53 |
-- |
54 |
gentoo-dev@g.o mailing list |