thx for the info but for some reason I'm receiving http error 403. I guess/hope they took it down. however, all the other mauals are available : http://www.debian.org/doc/manuals
cheers, Kim -----Oorspronkelijk bericht----- Van: Blars Blarson [mailto:[EMAIL PROTECTED] Verzonden: maandag 1 oktober 2001 10:04 Aan: [EMAIL PROTECTED]; debian-security@lists.debian.org CC: [EMAIL PROTECTED] Onderwerp: chroot (was Re: Need Help with the Debian Securing Manual (contributions accepted)) In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: > I am not sure everybody is aware of the "Securing Debian Manual" >which can be found at >http://www.debian.org/doc/manuals/securing-debian-howto/. In any case, I'm >asking for some help with this document due to the current overload of >information I'm suffering. One major problem I've noticed is it seems to perpetuate common misconseptions about chroot. If you have root access in a chroot enviornment, it's quite possible to break out and take over the whole system. (I've know of two ways off the top of my head, I'm sure there are others.) Giving untrusted code root access in a chroot enviornment is security by obscurity -- worthless against a determined attacker and the people setting it up are deluding themselves that their system are protected. (Perhaps you should consider a section on "security by obscurity" and why it is useless.) Running non-root in a chroot enviornment does add a level of protection. (You can't access world-readable files.) Chroot was designed as a software testing tool, not a security tool. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
