Re: default security
Javier Fernández-Sanguino Peña wrote:
>
> On Tue, Jan 15, 2002 at 01:51:32PM +0100, martin f krafft wrote:
> >
> > > Debian could provide, with only some effort from package
> > > maintainers versions of daemons chrooted to given environments. This
> > > however, might break Policy (IMHO).
> >
> > how would it break policy?
>
> (sorry, catching up with posts)
>
> Policy would be broken because a chroot installation would need
> all the libraries, configuration files, etc... that the service needed
> to be placed in a given fixed location
> (for example /usr/lib/named/etc, /usr/lib/named/var/{log,run})
> This defeats the FHS
He's referring to the Debian Filesystem Hierarchy Standard, which I keep
having to re-look-up, so here's the link if anyone else wants to, as
found on Google:
http://www.pathname.com/fhs/
> and also one of Debian's primary assumptions
> (all configuration files in /etc for example) on which the policy is
> based.
> This also makes it more difficult for package maintainance,
> how do I propagate changes from dynamic libraries to chrooted services?
> Of course, if the service is able to chroot itself (example is bind's
> -t flag or proftp's anonymous chrooted environment) this is less of an
> issue since you can run it properly and
> just need config, log, data and pid files in the chrooted environment.
>
> Regards
>
> Javi
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
http://www.eskimo.com/~xeno
xeno@eskimo.com
Physically I'm at: 5101 N. 45th St., Tacoma, WA, 98407-3717, U.S.A.
Reply to: