[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Security-HOWTO

Christian Kurz escribió:
> >       I have checked it out and would really like to see it included in
> >       the DDP and think that debian security guru's should help in
> Well, which package should include this documentation? May I also say,
> that some debian security interested guys helped in creating this
> document?

	As for the first one I do not know, maybe we should create a debian-security
package to provide this kind of information like the java-common package
provides the Java FAQ and the Java policy as well as being a suited metapackage.
	How about having a package providing this document and some useful scripts (for
example cron.daily updates from security.debian.org) and dependancies on
security-related packages. Kind of a meta-package...

> >       improving it. One thing I would like to have nicely documented is to
> >       make chroot jails. But not Linux-wide but Debian-specific, that is:
> What should be documented? Mostly you need to have all config files,
> libaries and binaries in the same structure as under / in a seperate
> dir, where you chroot to.

	See below.

> >       is there a way to build packages available in Debian in order to
> >       easily install them chrooted?  My first thought is that only if the
> You don't need to statically link packages to chroot them. You can also
> chroot them, if they use dynamic linking, but then you need to copy
> these libs also into the chroot-dir.

	I do know.

> >       ideas? Also, since the package would depend on other packages we
> >       need to have this in the chrooted environment too, is there an
> >       *easy* way to do this?  (without needing to have two package
> >       databases)
> No, that's why I think chroots should always be set up by the admin and
> not by any tool. And a good idea knows how to create chroots even for
> programs using dynamic linking.
	I'm not quite the same thinking here. You could use the powerful package 
management tools in order to automatically do this like:

	(user) - ok I want bind installed but chrooted in /home/bind
	(apt/dpkg) - downloading bind
	(apt/dpkg) - installing in /home/bind
	(apt/dpkg) - checking dependancies of bind
	(apt/dpkg) - moving related libraries (to allow dynamic linking) into
	(apt/dpkg) - changing default init.d script to run bind but chrooted into

	(user) - dpkg --status bind
	(dpkg) Package: bind...
		Chrooted-in: /home/bind

	Did it make any sense?


n:Fernández-Sanguino Peña;Javier
tel;fax:+34-91 806 46 41
tel;work:+34-91 806 46 40
org:SGI-GMV sistemas;Seguridad Lógica
adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain
fn:Javier Fernández-Sanguino Peña

Reply to: