1 |
Anders Bruun Olsen wrote: |
2 |
> On Wed, Nov 09, 2005 at 02:26:28PM -0600, Nathanael Hoyle wrote: |
3 |
> |
4 |
>>>I use the default Gentoo accounts for daemons - fairly certain none of |
5 |
>>>them use "nobody". I may be wrong? |
6 |
>> |
7 |
>>Can't answer that question for all gentoo ebuilds. There are probably |
8 |
>>some that do. I haven't run all of the daemons that you are running, |
9 |
>>but rather than assume, check them out individually. As one example, I |
10 |
>>was dismayed to realize when I emerged pdns that by default it just runs |
11 |
>>root. I manually added a user and group for pdns and modified the |
12 |
>>config to run as those users after binding the port initially (since |
13 |
>>port 53 is priviledged). I'd verify user id's for each daemon. |
14 |
> |
15 |
> |
16 |
> That's probably a very good idea. |
17 |
> |
18 |
> |
19 |
>>>>3) Chroot jail daemon processes wherever possible. |
20 |
>>> |
21 |
>>>Hmm.. any good guides or pointers to get Apache, MySQL, Postfix, |
22 |
>>>Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in |
23 |
>>>jails? |
24 |
>> |
25 |
>>As another poster has mentioned, mod_chroot for apache is worth looking |
26 |
>>into. rsyncd on gentoo comes with options to chroot in the conf.d as I |
27 |
>>recall. Postfix is quite happy to chroot after setting a config option |
28 |
>>as long as the jail is set up properly. The docs on postfix.org go into |
29 |
>>this setup pretty carefully. |
30 |
> |
31 |
> |
32 |
> Now that you mention it, I seem to recall actually having run rsyncd in |
33 |
> a chroot earlier. And for Postfix I'm gonna go run off to postfix.org |
34 |
> asap - or maybe that Postfix book I bought earlier this year has |
35 |
> something about that subject. It's the one by Patrick Koetter and Ralf |
36 |
> Hildebrandt and I seem to recall that they are very security concious. |
37 |
> |
38 |
> |
39 |
That would be "The Book of Postfix". I'm an active participant in the |
40 |
Postfix users' list, and I've corresponded with Patrick and Ralf several |
41 |
times, they know their stuff and I've heard very good things about the |
42 |
book, planning to pick up a copy one of these days. I'd expect the |
43 |
coverage of security aspects to be quite good. |
44 |
|
45 |
|
46 |
>>>That's a very good idea, only they still need to be able to start their |
47 |
>>>programs as they are used to. I can't seem to find jail-shell anywhere. |
48 |
>>>Is it just a concept for configuring i.e. Bash or is it actually |
49 |
>>>available somewhere? |
50 |
>> |
51 |
>>Googling "jail shell" turns up several different shells designed for this. |
52 |
> |
53 |
> |
54 |
> Of course, I should have tried thinking a little there - I'll go google |
55 |
> it :) |
56 |
> |
57 |
> |
58 |
>>Good luck, |
59 |
> |
60 |
> |
61 |
> Thank you. |
62 |
> |
63 |
|
64 |
|
65 |
-- |
66 |
Nathanael Hoyle |
67 |
Systems and Networking |
68 |
Speed Express Networks, LLC |
69 |
nhoyle@××××××××××××.net |
70 |
432.837.2811 |
71 |
|
72 |
-- |
73 |
gentoo-security@g.o mailing list |