Gentoo Archives: gentoo-security

From: Nathanael Hoyle <nhoyle@××××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Advice about security solution
Date: Wed, 09 Nov 2005 22:17:18
Message-Id: 4372741E.1010903@speedexpress.net
In Reply to: Re: [gentoo-security] Advice about security solution by Anders Bruun Olsen
1 Anders Bruun Olsen wrote:
2 > On Wed, Nov 09, 2005 at 02:26:28PM -0600, Nathanael Hoyle wrote:
3 >
4 >>>I use the default Gentoo accounts for daemons - fairly certain none of
5 >>>them use "nobody". I may be wrong?
6 >>
7 >>Can't answer that question for all gentoo ebuilds. There are probably
8 >>some that do. I haven't run all of the daemons that you are running,
9 >>but rather than assume, check them out individually. As one example, I
10 >>was dismayed to realize when I emerged pdns that by default it just runs
11 >>root. I manually added a user and group for pdns and modified the
12 >>config to run as those users after binding the port initially (since
13 >>port 53 is priviledged). I'd verify user id's for each daemon.
14 >
15 >
16 > That's probably a very good idea.
17 >
18 >
19 >>>>3) Chroot jail daemon processes wherever possible.
20 >>>
21 >>>Hmm.. any good guides or pointers to get Apache, MySQL, Postfix,
22 >>>Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in
23 >>>jails?
24 >>
25 >>As another poster has mentioned, mod_chroot for apache is worth looking
26 >>into. rsyncd on gentoo comes with options to chroot in the conf.d as I
27 >>recall. Postfix is quite happy to chroot after setting a config option
28 >>as long as the jail is set up properly. The docs on postfix.org go into
29 >>this setup pretty carefully.
30 >
31 >
32 > Now that you mention it, I seem to recall actually having run rsyncd in
33 > a chroot earlier. And for Postfix I'm gonna go run off to postfix.org
34 > asap - or maybe that Postfix book I bought earlier this year has
35 > something about that subject. It's the one by Patrick Koetter and Ralf
36 > Hildebrandt and I seem to recall that they are very security concious.
37 >
38 >
39 That would be "The Book of Postfix". I'm an active participant in the
40 Postfix users' list, and I've corresponded with Patrick and Ralf several
41 times, they know their stuff and I've heard very good things about the
42 book, planning to pick up a copy one of these days. I'd expect the
43 coverage of security aspects to be quite good.
44
45
46 >>>That's a very good idea, only they still need to be able to start their
47 >>>programs as they are used to. I can't seem to find jail-shell anywhere.
48 >>>Is it just a concept for configuring i.e. Bash or is it actually
49 >>>available somewhere?
50 >>
51 >>Googling "jail shell" turns up several different shells designed for this.
52 >
53 >
54 > Of course, I should have tried thinking a little there - I'll go google
55 > it :)
56 >
57 >
58 >>Good luck,
59 >
60 >
61 > Thank you.
62 >
63
64
65 --
66 Nathanael Hoyle
67 Systems and Networking
68 Speed Express Networks, LLC
69 nhoyle@××××××××××××.net
70 432.837.2811
71
72 --
73 gentoo-security@g.o mailing list