1 |
On Thu, 2003-07-17 at 08:52, Alvaro Figueroa Cabezas wrote: |
2 |
|
3 |
> Well, it the idea is to harden boxes, this chroot flag should |
4 |
> apply to every service thinkable... (And this is a _lot_ of work) |
5 |
|
6 |
I can't argue with that, but the initial goal would be to harden a few |
7 |
commonly used or notoriously insecure services. These include bind, ntpd |
8 |
and apache to name a few. I am currently working with the bind ebuild to |
9 |
adapt the chroot code to respect USE="chroot." |
10 |
|
11 |
> But is the idea is to really harden boxes, chroots should be forgoten, |
12 |
> and capabilities applied :). |
13 |
|
14 |
I'm not sure what you mean by capabilities, but I received a similar |
15 |
argument concerning SE Linux, whose superior security model negates the |
16 |
usefulness of chroot'ing a service. However, SE Linux is currently |
17 |
difficult to implement effectively and not a feasible choice for the |
18 |
average sysadmin. Chroot'ing key services could be nicely complemented |
19 |
by grsec's chroot hardening, and provide what I believe to be a workable |
20 |
solution to increase security in Gentoo. |
21 |
|
22 |
|
23 |
|
24 |
|
25 |
-- |
26 |
gentoo-dev@g.o mailing list |