Re: goals for hardening Debian: ideas and help wanted
- To: debian-devel@lists.debian.org
- Subject: Re: goals for hardening Debian: ideas and help wanted
- From: Tzafrir Cohen <tzafrir@cohens.org.il>
- Date: Fri, 2 May 2014 06:41:05 +0200
- Message-id: <[🔎] 20140502044104.GI2552@lemon.cohens.org.il>
- In-reply-to: <686939.12569.bm@smtp141.mail.ir2.yahoo.com>
- References: <1398308259.7980.49.camel@chianamo> <20140429020744.26376063@eunet.rs> <CAKTje6FK8+7X-HrHNV-+jhN2yRnKouoBgZY6c7HSG5E3OZeM_A@mail.gmail.com> <686939.12569.bm@smtp141.mail.ir2.yahoo.com>
On Tue, Apr 29, 2014 at 11:24:19AM +0100, Kevin Chadwick wrote:
> previously on this list people contributed:
>
> > > - easy create and run programs from chroot and alternate users
> >
> > Could you detail what you mean by this? It sounds like you want either
> > virtual machines or something like docker.io:
> >
> > https://packages.debian.org/sid/docker.io
>
> > > >
> > > > hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args"
>
> > > > > Security and chroots aren't things I would associate, you need better.
>
> A wide misconception. Chroots are easily implemented and add security
> almost for free
Not completely for free. You now have an extra mini-system to maintain.
(often /dev/log is all that is needed) and so can be
> used by default without any potential problems,
> they also never bring
> new risks
unless you forget to unpdate them.
It's also worth mentioning systemd-nspawn:
http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html
--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
tzafrir@debian.org | | friend
Reply to: