[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task harden.



On Sun, Apr 01, 2001 at 10:26:08PM +0200, Ola Lundqvist wrote:

> * What packages can imprive security.

bind.  there must be either an option at bind install to set it up in
a chroot jail running as named.named and not as root.  or else a
package which moves/diverts all its config files to inside the chroot,
and diverts the initscript to one that updates the named binaries in
the chroot and runs it chrooted and non-root.  either that or fork the
bind package entirely, this is less desireable then the other options
since every bind security update must be applied to two bind packages
instead of one (more work for the overworked security team).  

if this task-harden does ANYTHING at all it must get bind running in a
chroot jail as named.named and not root.  

> And now some questions (that can be dicussed).
> * I intend to conflict with inetd. Do you think that is ok?

inetd isn't really a security problem at least not that i know of.
its what you put in /etc/inetd.conf that is the security hole.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpZQ9xaxLVDc.pgp
Description: PGP signature


Reply to: