[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Grsecurity, ssh and postfix


I think you won't have to make a unique jail for ssh, you can use the
pam module which is designed especially for this. Unfortunately AFAIK
debian does not support that module, so you will have to compile your
own packages. Btw you can switch off the double chroot restrictions
under Grsec Customize > Filesystem Protections > Chroot jail
restrictions (NEW) > [ ]    Deny double-chroots

Domonkos Czinke

-----Original Message-----
From: Arnaud Fontaine [mailto:dsdebian@free.fr] 
Sent: Saturday, December 06, 2003 3:37 PM
To: debian-security@lists.debian.org
Subject: Re: Grsecurity, ssh and postfix

On Fri, 5 Dec 2003 21:45:01 +0100
Florian Weimer <fw@deneb.enyo.de> wrote:

> The privilege separation code invokes chroot(), too.
> Is there a "do not create any new file descriptors" process attribute
> in grsecurity?  If there is, OpenSSH should toggle instead of calling
> chroot() to an empty directory, which is a poor replacement.


Thanks for your explanation but i don't know how to do that with
grsecurity. I am looking after this.

I have done a chroot environment for ssh to log in for fetch, read and
send mails with mutt, procmail, fetchmail and postfix. But i would like
to know how i can integrate postfix to this chroot environment. Could
you give me some advices about this ?

Thanks for your help...
Arnaud Fontaine

----- signature
Arnaud Fontaine <dsdebian@free.fr> - http://www.andesi.org/
GnuPG Public Key available at http://www.andesi.org/gpg/dsdebian.asc
Fingerprint: 22B6 B676 332E 23BC CA7D 174D 6D41 235A 23A2 500A

------ fortune
"There are a billion people in China. And I want them to be able to pass
notes to each other written in Perl. I want them to be able to write
poetry in Perl. 

That is my vision of the Future. My chosen perspective."

  -- Larry Wall (Open Sources, 1999 O'Reilly and Associates)

Reply to: