Re: LIDS vers. chroot

To: Benjamin Schuele <benjamin.schuele@sig-robotics.com>
Cc: debian-security@lists.debian.org
Subject: Re: LIDS vers. chroot
From: Ralf Dreibrodt <rd@mesos.de>
Date: Wed, 05 Feb 2003 11:07:38 +0100
Message-id: <[🔎] 3E40E26A.89780F43@mesos.de>
References: <[🔎] 000801c2cce6$4b130fc0$6e85859e@sps.sigpack.com>

Hi,

> Benjamin Schuele wrote:
> 
> I would like to initiate a discussion about LIDS and chroot to setup a
> secure server.

i prefer the solution to use chroot _with_ LIDS.
Make everything you would do without chroot and chroot the process (e.g.
bind, apache, etc.).
Remove the CAP_SYS_CHROOT from _every_ binary within the chroot, only
programs outside the chroot should have them.

Well, i think the solution depends on you paranoia level ;)

Regards,
Ralf Dreibrodt

-- 
Mesos            Telefon 49 221 4855798-1
Eupener Str. 150 Fax     49 221 4855798-9
50933 Koeln      Mail    rd@mesos.de

Reply to:

References:
- LIDS vers. chroot
  - From: "Benjamin Schuele" <benjamin.schuele@sig-robotics.com>

Prev by Date: LIDS vers. chroot
Next by Date: Firewall testing
Previous by thread: LIDS vers. chroot
Next by thread: Re: LIDS vers. chroot
Index(es):
- Date
- Thread