Re: Debian Security-HOWTO
Christian Kurz escribió:
>
>
> > I have checked it out and would really like to see it included in
> > the DDP and think that debian security guru's should help in
>
> Well, which package should include this documentation? May I also say,
> that some debian security interested guys helped in creating this
> document?
As for the first one I do not know, maybe we should create a debian-security
package to provide this kind of information like the java-common package
provides the Java FAQ and the Java policy as well as being a suited metapackage.
How about having a package providing this document and some useful scripts (for
example cron.daily updates from security.debian.org) and dependancies on
security-related packages. Kind of a meta-package...
>
> > improving it. One thing I would like to have nicely documented is to
> > make chroot jails. But not Linux-wide but Debian-specific, that is:
>
> What should be documented? Mostly you need to have all config files,
> libaries and binaries in the same structure as under / in a seperate
> dir, where you chroot to.
See below.
>
> > is there a way to build packages available in Debian in order to
> > easily install them chrooted? My first thought is that only if the
>
> You don't need to statically link packages to chroot them. You can also
> chroot them, if they use dynamic linking, but then you need to copy
> these libs also into the chroot-dir.
I do know.
>
> > ideas? Also, since the package would depend on other packages we
> > need to have this in the chrooted environment too, is there an
> > *easy* way to do this? (without needing to have two package
> > databases)
>
> No, that's why I think chroots should always be set up by the admin and
> not by any tool. And a good idea knows how to create chroots even for
> programs using dynamic linking.
>
I'm not quite the same thinking here. You could use the powerful package
management tools in order to automatically do this like:
(user) - ok I want bind installed but chrooted in /home/bind
(apt/dpkg) - downloading bind
(apt/dpkg) - installing in /home/bind
(apt/dpkg) - checking dependancies of bind
(apt/dpkg) - moving related libraries (to allow dynamic linking) into
/home/bind
(apt/dpkg) - changing default init.d script to run bind but chrooted into
/home/bind
(....)
(user) - dpkg --status bind
(dpkg) Package: bind...
Chrooted-in: /home/bind
Did it make any sense?
Regards
Javi
begin:vcard
n:Fernández-Sanguino Peña;Javier
tel;fax:+34-91 806 46 41
tel;work:+34-91 806 46 40
x-mozilla-html:FALSE
org:SGI-GMV sistemas;Seguridad Lógica
adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain
version:2.1
email;internet:jfernandez@sgi.es
x-mozilla-cpt:;28448
fn:Javier Fernández-Sanguino Peña
end:vcard
Reply to: