Re: securing server

To: debian-security@lists.debian.org
Subject: Re: securing server
From: Simon Brandmair <sbrandmair@gmx.net>
Date: Fri, 9 May 2008 19:15:49 +0000 (UTC)
Message-id: <[🔎] g027t5$rlb$1@online.de>
References: <[🔎] fa218e630805070209x1c5837cbs6b33c32bf3e2b4b9@mail.gmail.com> <[🔎] 1210152509.4647.7.camel@localhost> <[🔎] 20080507094313.GA8333@lapse.madduck.net> <[🔎] fvsveq$4ik$1@online.de> <[🔎] 20080507195721.GA5994@lapse.madduck.net> <[🔎] 87myn12tq2.fsf@obelix.mork.no>

On Thu, 08 May 2008 08:40:12 +0200 Bjørn Mork wrote:

> martin f krafft <madduck@debian.org> writes:
>> also sprach Simon Brandmair <sbrandmair@gmx.net> [2008.05.07.2020 +0100]:
>>> > no security benefit
>>>  
>>> Just wondering: Why not?
>>
>> http://www.bpfh.net/simes/computing/chroot-break.html
> 
> You still need to be root before breaking the jail, and one of the
> benefits of the chroot is the ability to limit access to potentionally
> vulnerable setuid root applications.

1. And isn't it quite likely that you don't have a C compiler or a Perl
interpreter inside your chroot?

2. IMHO, kernel patches like grsecurity are able to prevent some breaking
strategies.

Simon

Reply to:

References:
- securing server
  - From: "Jean-Paul Lacquement" <zelos414@gmail.com>
- Re: securing server
  - From: weakish <weakish@gmail.com>
- Re: securing server
  - From: martin f krafft <madduck@debian.org>
- Re: securing server
  - From: Simon Brandmair <sbrandmair@gmx.net>
- Re: securing server
  - From: martin f krafft <madduck@debian.org>
- Re: securing server
  - From: Bjørn Mork <bmork@dod.no>

Prev by Date: Re: securing server
Next by Date: Re: [SECURITY] [DSA 1572-1] New php5 packages fix several vulnerabilities
Previous by thread: Re: securing server
Next by thread: Re: securing server
Index(es):
- Date
- Thread