public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: Ned Ludd <solar@gentoo.org>
To: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] chroot USE flag?
Date: 17 Jul 2003 23:08:52 -0400	[thread overview]
Message-ID: <1058497732.5788.23.camel@simple> (raw)
In-Reply-To: <1058511249.8620.14.camel@y0shi>

On Fri, 2003-07-18 at 02:54, Brandon Hale wrote:
> On Thu, 2003-07-17 at 08:52, Alvaro Figueroa Cabezas wrote:
> 
> > Well, it the idea is to harden boxes, this chroot flag should
> > apply to every service thinkable... (And this is a _lot_ of work)

Its not that bad really and has many usefull uses outside of security
enviroments alone.

> I can't argue with that, but the initial goal would be to harden a few
> commonly used or notoriously insecure services. These include bind, ntpd
> and apache to name a few. I am currently working with the bind ebuild to
> adapt the chroot code to respect USE="chroot."

I will support this flag and will help out where I can, perhaps adopting
a script I've been using myself to chroot services on gentoo as an
eclass http://dev.gentoo.org/~solar/gentoo.mkchroot. Then I/we should be
able to take the acls generated from grsec in learning mode to create
runtime package profiles which could be used to tell us what exactly
needs be in our chroot jail.

On another note I will be happy to pay the first person who codes
sys_jail() for linux as a kernel patch 2 magic beans and a pocket full
lint.

> 
> > But is the idea is to really harden boxes, chroots should be forgoten,
> > and capabilities applied :).
> 
> I'm not sure what you mean by capabilities, but I received a similar
> argument concerning SE Linux, whose superior security model negates the
> usefulness of chroot'ing a service.  However, SE Linux is currently
> difficult to implement effectively and not a feasible choice for the
> average sysadmin. Chroot'ing key services could be nicely complemented
> by grsec's chroot hardening, and provide what I believe to be a workable
> solution to increase security in Gentoo.
> 

Capabilities are basicly a repartition of roots permissions. Here is the
basic list of them
http://www.gentoo.org/proj/en/hardened/capabilities.xml


> 
> 
> --
> gentoo-dev@gentoo.org mailing list
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)


--
gentoo-dev@gentoo.org mailing list


  reply	other threads:[~2003-07-18  3:09 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-07-18  5:15 [gentoo-dev] chroot USE flag? Brandon Hale
2003-07-17 12:52 ` Alvaro Figueroa Cabezas
2003-07-18  6:44   ` Brandon Hale
2003-07-18  6:54   ` Brandon Hale
2003-07-18  3:08     ` Ned Ludd [this message]
2003-07-18  6:43     ` Toby Dickenson
2003-07-18  2:08       ` Alvaro Figueroa Cabezas
2003-07-18  0:49 ` Matt Rickard
2003-07-18  1:25   ` Christian Axelsson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1058497732.5788.23.camel@simple \
    --to=solar@gentoo.org \
    --cc=gentoo-dev@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox