On Tue, Jun 03, 2003 at 10:01:33AM -0700, Mark Ferlatte wrote: > Phillip Hofmeister said on Tue, Jun 03, 2003 at 10:02:09AM -0400: > > However, for the most part, chrooting is a valid countermeasure/method > > to compartmentalize. It is a shame that no distribution comes with > > packages natively created with/for chrooting. > > I believe that OpenBSD does. > Yes it does. Although I don't believe that the way to go is chrooting since it makes it very difficult to ease upgrades. > Also, Debian's Bind 9 package is pretty trivial to chroot (although it doesn't > by default). Debian's postfix package does chroot by default, although you > tend to have to turn it off if you want to use things like postfix-tls or SASL. There are a number of patches in the BTS to make bind work in a chroot environment out of the box, using bind's own chroot functionality. In any case, there are also a number of packages to provide an easy way to setup chroot/restricted environments (makejail and compartment come to mind). In any case I don't think that chrooting is the way to go here, it was built to be used as a testing/programing tool, not really a security tool. There are number of (Linux) patches to provide full compartimentalization of processes in the system which might be the way to go. Just my 2c. Regards Javi
Attachment:
pgpHBKN1nVHBu.pgp
Description: PGP signature