From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EZyFq-0003GD-6s for garchives@archives.gentoo.org; Wed, 09 Nov 2005 22:17:18 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jA9MFaHZ000152; Wed, 9 Nov 2005 22:15:36 GMT Received: from goliath.speedexpress.net (goliath.speedexpress.net [66.142.28.6]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jA9MBpSS003898 for ; Wed, 9 Nov 2005 22:11:52 GMT Received: from localhost (goliath.speedexpress.net [66.142.28.6]) by goliath.speedexpress.net (Postfix) with ESMTP id CE02759539 for ; Wed, 9 Nov 2005 16:11:50 -0600 (CST) Received: from goliath.speedexpress.net ([66.142.28.6]) by localhost (mail.speedexpress.net [66.142.28.6]) (amavisd-new, port 10025) with LMTP id 09432-02-28 for ; Wed, 9 Nov 2005 16:11:42 -0600 (CST) Received: from [66.142.28.39] (star.speedexpress.net [66.142.28.39]) by goliath.speedexpress.net (Postfix) with ESMTP id 8D9DF5235A for ; Wed, 9 Nov 2005 16:11:42 -0600 (CST) Message-ID: <4372741E.1010903@speedexpress.net> Date: Wed, 09 Nov 2005 16:11:42 -0600 From: Nathanael Hoyle User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050812) X-Accept-Language: en-us, en Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] Advice about security solution References: <20051108222120.GJ14230@elmer.skumleren.net> <43712B15.2040608@speedexpress.net> <20051109081638.GK14230@elmer.skumleren.net> <43725B74.6000409@speedexpress.net> <20051109211639.GN14230@elmer.skumleren.net> In-Reply-To: <20051109211639.GN14230@elmer.skumleren.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new using ClamAV at speedexpress.net X-Archives-Salt: c7fd0cbc-0bd5-4f5a-8fa6-2961ce7ba68c X-Archives-Hash: a66b8b6fc799c0ac2b25390bda6898c6 Anders Bruun Olsen wrote: > On Wed, Nov 09, 2005 at 02:26:28PM -0600, Nathanael Hoyle wrote: > >>>I use the default Gentoo accounts for daemons - fairly certain none of >>>them use "nobody". I may be wrong? >> >>Can't answer that question for all gentoo ebuilds. There are probably >>some that do. I haven't run all of the daemons that you are running, >>but rather than assume, check them out individually. As one example, I >>was dismayed to realize when I emerged pdns that by default it just runs >>root. I manually added a user and group for pdns and modified the >>config to run as those users after binding the port initially (since >>port 53 is priviledged). I'd verify user id's for each daemon. > > > That's probably a very good idea. > > >>>>3) Chroot jail daemon processes wherever possible. >>> >>>Hmm.. any good guides or pointers to get Apache, MySQL, Postfix, >>>Courier-imap, rsyncd, ventrilo, cs-server, zope and so on to run in >>>jails? >> >>As another poster has mentioned, mod_chroot for apache is worth looking >>into. rsyncd on gentoo comes with options to chroot in the conf.d as I >>recall. Postfix is quite happy to chroot after setting a config option >>as long as the jail is set up properly. The docs on postfix.org go into >>this setup pretty carefully. > > > Now that you mention it, I seem to recall actually having run rsyncd in > a chroot earlier. And for Postfix I'm gonna go run off to postfix.org > asap - or maybe that Postfix book I bought earlier this year has > something about that subject. It's the one by Patrick Koetter and Ralf > Hildebrandt and I seem to recall that they are very security concious. > > That would be "The Book of Postfix". I'm an active participant in the Postfix users' list, and I've corresponded with Patrick and Ralf several times, they know their stuff and I've heard very good things about the book, planning to pick up a copy one of these days. I'd expect the coverage of security aspects to be quite good. >>>That's a very good idea, only they still need to be able to start their >>>programs as they are used to. I can't seem to find jail-shell anywhere. >>>Is it just a concept for configuring i.e. Bash or is it actually >>>available somewhere? >> >>Googling "jail shell" turns up several different shells designed for this. > > > Of course, I should have tried thinking a little there - I'll go google > it :) > > >>Good luck, > > > Thank you. > -- Nathanael Hoyle Systems and Networking Speed Express Networks, LLC nhoyle@speedexpress.net 432.837.2811 -- gentoo-security@gentoo.org mailing list