From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EZxRW-0003Qb-Kv for garchives@archives.gentoo.org; Wed, 09 Nov 2005 21:25:19 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jA9LNdDo019713; Wed, 9 Nov 2005 21:23:39 GMT Received: from elmer.skumleren.net ([130.226.232.146]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jA9LGfnE013504 for ; Wed, 9 Nov 2005 21:16:41 GMT Received: from localhost (localhost [127.0.0.1]) by elmer.skumleren.net (Postfix) with ESMTP id 35F7724805A for ; Wed, 9 Nov 2005 22:16:41 +0100 (CET) Received: from elmer.skumleren.net ([127.0.0.1]) by localhost (elmer.skumleren.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 28178-06 for ; Wed, 9 Nov 2005 22:16:39 +0100 (CET) Received: by elmer.skumleren.net (Postfix, from userid 1000) id C6191248061; Wed, 9 Nov 2005 22:16:39 +0100 (CET) Date: Wed, 9 Nov 2005 22:16:39 +0100 From: Anders Bruun Olsen To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] Advice about security solution Message-ID: <20051109211639.GN14230@elmer.skumleren.net> References: <20051108222120.GJ14230@elmer.skumleren.net> <43712B15.2040608@speedexpress.net> <20051109081638.GK14230@elmer.skumleren.net> <43725B74.6000409@speedexpress.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43725B74.6000409@speedexpress.net> "X-PGP-Key: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0" User-Agent: Mutt/1.5.8i X-Virus-Scanned: amavisd-new at skumleren.net X-Archives-Salt: 51aacc40-c9c4-4c4f-a1b4-55783f89f768 X-Archives-Hash: 8c59fd756e231cdc81b77bfe426a77f1 On Wed, Nov 09, 2005 at 02:26:28PM -0600, Nathanael Hoyle wrote: > > I use the default Gentoo accounts for daemons - fairly certain none of > > them use "nobody". I may be wrong? > Can't answer that question for all gentoo ebuilds. There are probably > some that do. I haven't run all of the daemons that you are running, > but rather than assume, check them out individually. As one example, I > was dismayed to realize when I emerged pdns that by default it just runs > root. I manually added a user and group for pdns and modified the > config to run as those users after binding the port initially (since > port 53 is priviledged). I'd verify user id's for each daemon. That's probably a very good idea. > >>3) Chroot jail daemon processes wherever possible. > > Hmm.. any good guides or pointers to get Apache, MySQL, Postfix, > > Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in > > jails? > As another poster has mentioned, mod_chroot for apache is worth looking > into. rsyncd on gentoo comes with options to chroot in the conf.d as I > recall. Postfix is quite happy to chroot after setting a config option > as long as the jail is set up properly. The docs on postfix.org go into > this setup pretty carefully. Now that you mention it, I seem to recall actually having run rsyncd in a chroot earlier. And for Postfix I'm gonna go run off to postfix.org asap - or maybe that Postfix book I bought earlier this year has something about that subject. It's the one by Patrick Koetter and Ralf Hildebrandt and I seem to recall that they are very security concious. > > That's a very good idea, only they still need to be able to start their > > programs as they are used to. I can't seem to find jail-shell anywhere. > > Is it just a concept for configuring i.e. Bash or is it actually > > available somewhere? > Googling "jail shell" turns up several different shells designed for this. Of course, I should have tried thinking a little there - I'll go google it :) > Good luck, Thank you. -- Anders -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y? ------END GEEK CODE BLOCK------ PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0 -- gentoo-security@gentoo.org mailing list