From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev-return-4737-arch-gentoo-dev=gentoo.org@gentoo.org>
Received: (qmail 19925 invoked by uid 1002); 18 Jul 2003 02:37:15 -0000
Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Help: <mailto:gentoo-dev-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Received: (qmail 14395 invoked from network); 18 Jul 2003 02:37:15 -0000
From: Brandon Hale <brandon@comp-u-tek.com>
To: gentoo-dev@gentoo.org
In-Reply-To: <20030717125214.GB1205@fuerzag.ulatina.ac.cr>
References: <1058505300.8186.12.camel@y0shi>
	 <20030717125214.GB1205@fuerzag.ulatina.ac.cr>
Content-Type: text/plain
Message-Id: <1058511249.8620.14.camel@y0shi>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.3 
Date: 18 Jul 2003 02:54:09 -0400
Content-Transfer-Encoding: 7bit
Subject: Re: [gentoo-dev] chroot USE flag?
X-Archives-Salt: ddaf13a1-cbcc-4982-ad3a-7a089b505a83
X-Archives-Hash: cb5f6257a7fe477bc60c34358e19ef3b

On Thu, 2003-07-17 at 08:52, Alvaro Figueroa Cabezas wrote:

> Well, it the idea is to harden boxes, this chroot flag should
> apply to every service thinkable... (And this is a _lot_ of work)

I can't argue with that, but the initial goal would be to harden a few
commonly used or notoriously insecure services. These include bind, ntpd
and apache to name a few. I am currently working with the bind ebuild to
adapt the chroot code to respect USE="chroot."

> But is the idea is to really harden boxes, chroots should be forgoten,
> and capabilities applied :).

I'm not sure what you mean by capabilities, but I received a similar
argument concerning SE Linux, whose superior security model negates the
usefulness of chroot'ing a service.  However, SE Linux is currently
difficult to implement effectively and not a feasible choice for the
average sysadmin. Chroot'ing key services could be nicely complemented
by grsec's chroot hardening, and provide what I believe to be a workable
solution to increase security in Gentoo.




--
gentoo-dev@gentoo.org mailing list