On Tue, Jun 03, 2003 at 10:01:33AM -0700, Mark Ferlatte wrote: > Phillip Hofmeister said on Tue, Jun 03, 2003 at 10:02:09AM -0400: > > However, for the most part, chrooting is a valid countermeasure/method > > to compartmentalize. It is a shame that no distribution comes with > > packages natively created with/for chrooting. > > I believe that OpenBSD does. >
Yes it does. Although I don't believe that the way to go is chrooting since it makes it very difficult to ease upgrades. > Also, Debian's Bind 9 package is pretty trivial to chroot (although it doesn't > by default). Debian's postfix package does chroot by default, although you > tend to have to turn it off if you want to use things like postfix-tls or SASL. There are a number of patches in the BTS to make bind work in a chroot environment out of the box, using bind's own chroot functionality. In any case, there are also a number of packages to provide an easy way to setup chroot/restricted environments (makejail and compartment come to mind). In any case I don't think that chrooting is the way to go here, it was built to be used as a testing/programing tool, not really a security tool. There are number of (Linux) patches to provide full compartimentalization of processes in the system which might be the way to go. Just my 2c. Regards Javi
pgp00000.pgp
Description: PGP signature
