Re: User Mode Linux
On Mon, 20 Jan 2003 15:15, Andrius Adomaitis wrote:
> > The FTP server and IMP cause me the most concerns....
> >
> > Any ideas? Anyone used UML and changed back?
>
> UML is not solution here. For security use capabilities system along with
> chroot environments.
> Check out http://www.grsecurity.org/papers.php ,
> http://www.openwall.com/linux , man chroot. Of corse dedicated machines for
> smtp/pop3/imap, web/ftp, sql, dns are better, but still consider using some
> system wide security system.
Grsec and similar kernel patches are good. However one problem that they face
is that you don't have a single system image any more. If you have separate
chroots for mail delivery, POP, DNS, FTP, and Apache then you have 5
different environments to keep up to date with security patches etc.
If you use SE Linux then you get more isolation between processes than you get
in a chroot on a non-patched kernel, and you get a single system image so
that dselect can be used once to update things.
Also it should be noted that if you use separate hardware for the separate
services then you need to have different passwords on the different
machines...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: