| 1 |
On Thu, 2003-07-17 at 08:52, Alvaro Figueroa Cabezas wrote: |
| 2 |
|
| 3 |
> Well, it the idea is to harden boxes, this chroot flag should |
| 4 |
> apply to every service thinkable... (And this is a _lot_ of work) |
| 5 |
|
| 6 |
I can't argue with that, but the initial goal would be to harden a few |
| 7 |
commonly used or notoriously insecure services. These include bind, ntpd |
| 8 |
and apache to name a few. I am currently working with the bind ebuild to |
| 9 |
adapt the chroot code to respect USE="chroot." |
| 10 |
|
| 11 |
> But is the idea is to really harden boxes, chroots should be forgoten, |
| 12 |
> and capabilities applied :). |
| 13 |
|
| 14 |
I'm not sure what you mean by capabilities, but I received a similar |
| 15 |
argument concerning SE Linux, whose superior security model negates the |
| 16 |
usefulness of chroot'ing a service. However, SE Linux is currently |
| 17 |
difficult to implement effectively and not a feasible choice for the |
| 18 |
average sysadmin. Chroot'ing key services could be nicely complemented |
| 19 |
by grsec's chroot hardening, and provide what I believe to be a workable |
| 20 |
solution to increase security in Gentoo. |
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
-- |
| 26 |
gentoo-dev@g.o mailing list |
Archives