1 |
On Wed, Nov 09, 2005 at 02:26:28PM -0600, Nathanael Hoyle wrote: |
2 |
> > I use the default Gentoo accounts for daemons - fairly certain none of |
3 |
> > them use "nobody". I may be wrong? |
4 |
> Can't answer that question for all gentoo ebuilds. There are probably |
5 |
> some that do. I haven't run all of the daemons that you are running, |
6 |
> but rather than assume, check them out individually. As one example, I |
7 |
> was dismayed to realize when I emerged pdns that by default it just runs |
8 |
> root. I manually added a user and group for pdns and modified the |
9 |
> config to run as those users after binding the port initially (since |
10 |
> port 53 is priviledged). I'd verify user id's for each daemon. |
11 |
|
12 |
That's probably a very good idea. |
13 |
|
14 |
> >>3) Chroot jail daemon processes wherever possible. |
15 |
> > Hmm.. any good guides or pointers to get Apache, MySQL, Postfix, |
16 |
> > Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in |
17 |
> > jails? |
18 |
> As another poster has mentioned, mod_chroot for apache is worth looking |
19 |
> into. rsyncd on gentoo comes with options to chroot in the conf.d as I |
20 |
> recall. Postfix is quite happy to chroot after setting a config option |
21 |
> as long as the jail is set up properly. The docs on postfix.org go into |
22 |
> this setup pretty carefully. |
23 |
|
24 |
Now that you mention it, I seem to recall actually having run rsyncd in |
25 |
a chroot earlier. And for Postfix I'm gonna go run off to postfix.org |
26 |
asap - or maybe that Postfix book I bought earlier this year has |
27 |
something about that subject. It's the one by Patrick Koetter and Ralf |
28 |
Hildebrandt and I seem to recall that they are very security concious. |
29 |
|
30 |
> > That's a very good idea, only they still need to be able to start their |
31 |
> > programs as they are used to. I can't seem to find jail-shell anywhere. |
32 |
> > Is it just a concept for configuring i.e. Bash or is it actually |
33 |
> > available somewhere? |
34 |
> Googling "jail shell" turns up several different shells designed for this. |
35 |
|
36 |
Of course, I should have tried thinking a little there - I'll go google |
37 |
it :) |
38 |
|
39 |
> Good luck, |
40 |
|
41 |
Thank you. |
42 |
|
43 |
-- |
44 |
Anders |
45 |
-----BEGIN GEEK CODE BLOCK----- |
46 |
Version: 3.12 |
47 |
GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V |
48 |
PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y? |
49 |
------END GEEK CODE BLOCK------ |
50 |
PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0 |
51 |
-- |
52 |
gentoo-security@g.o mailing list |