On Wed, 2003-08-13 at 00:20, Adam Majer wrote:
> So, now I don't run a Debian kernel at all - only a monolithic
> (no modules) kernel with grsecurity.net patches. Then I set
> up the ACL system (more or less) so that all of the services
> that can be used to break into the system are quite useless
On Wed, 2003-08-13 at 16:02, Colin Walters wrote:
> Let me give an example of how SELinux protects my machine (verbum.org).
> My blog is a Python script (pyblosxom) which runs in a domain called
> httpd_user_script_t.
Oh, and what I forgot to mention about this domain is that it doe
On Wed, 2003-08-13 at 18:39, valerian wrote:
>
> grsec handles this by allowing you to restrict Linux capabilities for a
> process. For example, there's no reason /usr/sbin/apache should have
> access to CAP_SYS_ADMIN (allows mount/umount, amongst other things) or
> CAP_SYS_PTRACE (run ptrace) o
On Wed, 2003-08-13 at 21:00, valerian wrote:
> Well capabilities are only one of the things that grsec implements. You
> can also restrict a process to access various parts of the filesystem.
> There's no reason /usr/sbin/apache should have write access to /etc, so
> you just don't allow it.
Rig
On Wed, 2003-08-13 at 00:20, Adam Majer wrote:
> So, now I don't run a Debian kernel at all - only a monolithic
> (no modules) kernel
This doesn't provide very much security. For example:
http://www.phrack.org/show.php?p=58&a=7
On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> Hi!
>
> I'm attempting to set up an SELinux system using the Debian packages
> and am unashamed to admit that I'm a little stuck at the moment.
If you're planning to run a production system, I'd recommend starting
from Debian woody and Brian
On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
> SELinux only uses LSM which makes it easy to port, but seems
> impractical and even dangerous for real-world use [1][2].
The main complaint on those pages seems to be that LSM is only focused
on access control. You may or may not regard that as a
[moved to debian-security, where it belongs]
On Sat, 2003-11-29 at 22:47, David Spreen wrote:
> Even if you're perfectly right with that, I consider it important to
> provide our users the possibility to make their own choice regarding the
> acl systems to use.
You always have a choice to upload
On Sat, 2003-11-29 at 22:53, Colin Walters wrote:
> > Nevertheless I again would like to suggest a policy that forces the
> > maintainers of packages to deliver informations about used system
> > resources
> > of their programs.
However, this is not such a bad idea, if
On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
> - It needs an extra account ("security officer" with UID 400) which is
> a pretty bad idea IMHO. Since once you are SO (cracked/sniffed
> password etc.), you can alter anything which seems like a giant
> security risk to me.
If the password
On Wed, 2003-08-13 at 16:02, Colin Walters wrote:
> Let me give an example of how SELinux protects my machine (verbum.org).
> My blog is a Python script (pyblosxom) which runs in a domain called
> httpd_user_script_t.
Oh, and what I forgot to mention about this domain is that it doe
On Wed, 2003-08-13 at 00:20, Adam Majer wrote:
> So, now I don't run a Debian kernel at all - only a monolithic
> (no modules) kernel with grsecurity.net patches. Then I set
> up the ACL system (more or less) so that all of the services
> that can be used to break into the system are quite useless
On Wed, 2003-08-13 at 18:39, valerian wrote:
>
> grsec handles this by allowing you to restrict Linux capabilities for a
> process. For example, there's no reason /usr/sbin/apache should have
> access to CAP_SYS_ADMIN (allows mount/umount, amongst other things) or
> CAP_SYS_PTRACE (run ptrace) o
On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> Hi!
>
> I'm attempting to set up an SELinux system using the Debian packages
> and am unashamed to admit that I'm a little stuck at the moment.
If you're planning to run a production system, I'd recommend starting
from Debian woody and Brian
On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
> SELinux only uses LSM which makes it easy to port, but seems
> impractical and even dangerous for real-world use [1][2].
The main complaint on those pages seems to be that LSM is only focused
on access control. You may or may not regard that as a
[moved to debian-security, where it belongs]
On Sat, 2003-11-29 at 22:47, David Spreen wrote:
> Even if you're perfectly right with that, I consider it important to
> provide our users the possibility to make their own choice regarding the
> acl systems to use.
You always have a choice to upload
On Sat, 2003-11-29 at 22:53, Colin Walters wrote:
> > Nevertheless I again would like to suggest a policy that forces the
> > maintainers of packages to deliver informations about used system
> > resources
> > of their programs.
However, this is not such a bad idea, if
On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
> - It needs an extra account ("security officer" with UID 400) which is
> a pretty bad idea IMHO. Since once you are SO (cracked/sniffed
> password etc.), you can alter anything which seems like a giant
> security risk to me.
If the password
Jeff Coppock <[EMAIL PROTECTED]> writes:
> I'm having trouble getting ssh installed on my new woody system.
> I'm getting segmentation faults during the ssh-keygen process. I
> can't find any reason for this.
Are you familiar with GDB? You should download the source to the ssh
package (apt-get
Jeff Coppock <[EMAIL PROTECTED]> writes:
> I'm having trouble getting ssh installed on my new woody system.
> I'm getting segmentation faults during the ssh-keygen process. I
> can't find any reason for this.
Are you familiar with GDB? You should download the source to the ssh
package (apt-get
20 matches
Mail list logo
