Gentoo Archives: gentoo-security

From: Anders Bruun Olsen <anders@×××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Advice about security solution
Date: Wed, 09 Nov 2005 21:25:19
Message-Id: 20051109211639.GN14230@elmer.skumleren.net
In Reply to: Re: [gentoo-security] Advice about security solution by Nathanael Hoyle
1 On Wed, Nov 09, 2005 at 02:26:28PM -0600, Nathanael Hoyle wrote:
2 > > I use the default Gentoo accounts for daemons - fairly certain none of
3 > > them use "nobody". I may be wrong?
4 > Can't answer that question for all gentoo ebuilds. There are probably
5 > some that do. I haven't run all of the daemons that you are running,
6 > but rather than assume, check them out individually. As one example, I
7 > was dismayed to realize when I emerged pdns that by default it just runs
8 > root. I manually added a user and group for pdns and modified the
9 > config to run as those users after binding the port initially (since
10 > port 53 is priviledged). I'd verify user id's for each daemon.
11
12 That's probably a very good idea.
13
14 > >>3) Chroot jail daemon processes wherever possible.
15 > > Hmm.. any good guides or pointers to get Apache, MySQL, Postfix,
16 > > Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in
17 > > jails?
18 > As another poster has mentioned, mod_chroot for apache is worth looking
19 > into. rsyncd on gentoo comes with options to chroot in the conf.d as I
20 > recall. Postfix is quite happy to chroot after setting a config option
21 > as long as the jail is set up properly. The docs on postfix.org go into
22 > this setup pretty carefully.
23
24 Now that you mention it, I seem to recall actually having run rsyncd in
25 a chroot earlier. And for Postfix I'm gonna go run off to postfix.org
26 asap - or maybe that Postfix book I bought earlier this year has
27 something about that subject. It's the one by Patrick Koetter and Ralf
28 Hildebrandt and I seem to recall that they are very security concious.
29
30 > > That's a very good idea, only they still need to be able to start their
31 > > programs as they are used to. I can't seem to find jail-shell anywhere.
32 > > Is it just a concept for configuring i.e. Bash or is it actually
33 > > available somewhere?
34 > Googling "jail shell" turns up several different shells designed for this.
35
36 Of course, I should have tried thinking a little there - I'll go google
37 it :)
38
39 > Good luck,
40
41 Thank you.
42
43 --
44 Anders
45 -----BEGIN GEEK CODE BLOCK-----
46 Version: 3.12
47 GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V
48 PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y?
49 ------END GEEK CODE BLOCK------
50 PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0
51 --
52 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Advice about security solution Nathanael Hoyle <nhoyle@××××××××××××.net>