[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: User Mode Linux

On Mon, 20 Jan 2003 15:15, Andrius Adomaitis wrote:
> > The FTP server and IMP cause me the most concerns....
> >
> > Any ideas? Anyone used UML and changed back?
> UML is not solution here. For security use capabilities system along with
> chroot environments.
> Check out http://www.grsecurity.org/papers.php ,
> http://www.openwall.com/linux , man chroot. Of corse dedicated machines for
> smtp/pop3/imap, web/ftp, sql, dns are better, but still consider using some
> system wide security system.

Grsec and similar kernel patches are good.  However one problem that they face 
is that you don't have a single system image any more.  If you have separate 
chroots for mail delivery, POP, DNS, FTP, and Apache then you have 5 
different environments to keep up to date with security patches etc.

If you use SE Linux then you get more isolation between processes than you get 
in a chroot on a non-patched kernel, and you get a single system image so 
that dselect can be used once to update things.

Also it should be noted that if you use separate hardware for the separate 
services then you need to have different passwords on the different 

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: