Thread: Linux is Driving me $#@!!!! nutz!!!
View Single Post
  #69   Report Post  
Posted to rec.crafts.metalworking
Donnie Barnes
 
Posts: n/a
Default Linux is Driving me $#@!!!! nutz!!!
On Wed, 04 Jan, DoN. Nichols wrote:
[ chroot jail discussion ]
And against some attacks can be utterly useless, which means to me that you
really just have a false sense of security with them combined with the
aggravation of having to make them work in every case, which is quite
annoying.

It at least limits the damage to the rest of the system, even if
it can't protect the individual server program. (And, of course, trying
to make some programs work within the chroot jail can reduce the
security if not done carefully. I prefer static linking to using shared
libs for example.)

But a jail is only so good. Once you are *in* it, getting *around* the
bars using other known holes can be easy. chroot was never intended as a
security device and shouldn't really be treated as such since most kernels
aren't designed to truly enforce it anyway. It can certainly stop a true
script kiddie, but on most systems will only slow a true thief down.

In case you didn't know this, chroot was originally intended simply as a
tool to simplify doing things like re-creating *nix installations on a
running system for the purposes of building distributions or testing. But
every *nix kernel seems to care to implement the "jail" hardness to varying
degrees. I'm not sure any claim the jail is even very *hard* to break out
of.

Also note that once into the jail it's *very* easy in most cases to simply
wreak havoc on said running system with DoS type attacks from within. My
personal opinion is the extra security they provide isn't worth the
additional inconvenience of using them in places they weren't really
intended to be used. YMMV.

Those are turned off by default in most every Linux distribution as well.

They certainly did not used to be so.

No, but that was now *years* ago when these type things were left on by
default on most popular Linux distributions. Heck, Fedora (and thus RH)
now defaults to installing SELinux, the protocol developed by the NSA.

I've actually kicked sendmail off of the system, and replaced it
with qmail, which I trust a lot more than I do sendmail. Qmail was
*designed* with security in mind.

Argh. Keep in mind that qmail isn't truly open source by most technically
accepted definitions.

I'm using an older version, from when it was a bit more open.

I don't know that it was ever *more* open. It used to be worse, and he
kept making half hearted attempts to make it "more" open and then would
send me email wanting it included in RHL. I'd politely say no and point
out why it still wasn't open (which would generally be the same reasons as
before) and then he'd curse me, privately and sometimes publicly. *shrug*

So -- what do you suggest as a good alternative?

On modern hardware most any will do. It seems almost personal preference
at this point as to whether you use postfix or exim. I use postfix.


--Donnie

--
Donnie Barnes http://www.donniebarnes.com 879. V.
Reply With QuoteReply With Quote