Re: Debian Security-HOWTO

To: Christian Kurz <shorty@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: Debian Security-HOWTO
From: Javier Fernandez-Sanguino Peña <jfernandez@sgi.es>
Date: Mon, 04 Dec 2000 19:04:48 +0100
Message-id: <[🔎] 3A2BDCC0.22E67955@sgi.es>
References: <3A26A450.BAEE6F49@sgi.es> <20001130215939.J7372@seteuid.getuid.de>

Christian Kurz escribió:
> 
> 
> >       I have checked it out and would really like to see it included in
> >       the DDP and think that debian security guru's should help in
> 
> Well, which package should include this documentation? May I also say,
> that some debian security interested guys helped in creating this
> document?

	As for the first one I do not know, maybe we should create a debian-security
package to provide this kind of information like the java-common package
provides the Java FAQ and the Java policy as well as being a suited metapackage.
	How about having a package providing this document and some useful scripts (for
example cron.daily updates from security.debian.org) and dependancies on
security-related packages. Kind of a meta-package...

> 
> >       improving it. One thing I would like to have nicely documented is to
> >       make chroot jails. But not Linux-wide but Debian-specific, that is:
> 
> What should be documented? Mostly you need to have all config files,
> libaries and binaries in the same structure as under / in a seperate
> dir, where you chroot to.

	See below.

> 
> >       is there a way to build packages available in Debian in order to
> >       easily install them chrooted?  My first thought is that only if the
> 
> You don't need to statically link packages to chroot them. You can also
> chroot them, if they use dynamic linking, but then you need to copy
> these libs also into the chroot-dir.

	I do know.

> 
> >       ideas? Also, since the package would depend on other packages we
> >       need to have this in the chrooted environment too, is there an
> >       *easy* way to do this?  (without needing to have two package
> >       databases)
> 
> No, that's why I think chroots should always be set up by the admin and
> not by any tool. And a good idea knows how to create chroots even for
> programs using dynamic linking.
> 
	I'm not quite the same thinking here. You could use the powerful package 
management tools in order to automatically do this like:

	(user) - ok I want bind installed but chrooted in /home/bind
	(apt/dpkg) - downloading bind
	(apt/dpkg) - installing in /home/bind
	(apt/dpkg) - checking dependancies of bind
	(apt/dpkg) - moving related libraries (to allow dynamic linking) into
			/home/bind
	(apt/dpkg) - changing default init.d script to run bind but chrooted into
			/home/bind
	
	(....)

	(user) - dpkg --status bind
	(dpkg) Package: bind...
		Chrooted-in: /home/bind


	Did it make any sense?

	Regards

	Javi

begin:vcard 
n:Fernández-Sanguino Peña;Javier
tel;fax:+34-91 806 46 41
tel;work:+34-91 806 46 40
x-mozilla-html:FALSE
org:SGI-GMV sistemas;Seguridad Lógica
adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain
version:2.1
email;internet:jfernandez@sgi.es
x-mozilla-cpt:;28448
fn:Javier Fernández-Sanguino Peña
end:vcard

Reply to:

Follow-Ups:
- Re: Debian Security-HOWTO
  - From: Christian Kurz <shorty@debian.org>

Prev by Date: Securing Debian HOWTO - Now in SGML
Next by Date: What should a Debian-security metapackage should provide?
Previous by thread: Re: Debian Security-HOWTO
Next by thread: Re: Debian Security-HOWTO
Index(es):
- Date
- Thread