previously on this list people contributed: > > - easy create and run programs from chroot and alternate users > > Could you detail what you mean by this? It sounds like you want either > virtual machines or something like docker.io: > > https://packages.debian.org/sid/docker.io
> > > > > > hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args" > > > > Security and chroots aren't things I would associate, you need better. A wide misconception. Chroots are easily implemented and add security almost for free (often /dev/log is all that is needed) and so can be used by default without any potential problems, they also never bring new risks and always make life difficult for an attacker to raise priviledges or get what they are actually after when done correctly. Even at a simple level it should be obvious that they can just nullify the payload so the attacker simply goes elsewhere. Does debian chroot unbound and nginx under their own unbound and nginx users by default? MACs are hardly ever used by default due to management problems and when they are they either may even lead to exploitable programs that cannot do what they expect to be able to or may not offer the protection expected and why not use the chroot under a MAC anyway. If the kernel can be attacked from the chroot then likely the MAC can and due to increased complexity, arguments just as easily arise against both. For most daemons where the filesystem access amounts to little then a MAC is unlikely to prevent any more attacks that chroot wouldn't and where a program needs a lot of access you are fighting a losing battle and you should rethink your attack surface. Time would be better spent on privsep or getting your web content to run without www-data writes via DACs than tuning a complicated MAC to allow it to some degree or writing a cgi program to keep things out of the chroot. What I am saying is MACs are fine when done right and you have the spare time but should not trump better design or excuse lack of priviledge seperation or the often underused and mis-understood power of DACs not being used to their upmost in the first place. Virtual machines add complexity, waste resources and cannot be on by default for each package which is very important. Also many new attacks like timing attacks between virtual machines arrive. Auditing and bug reporting is also greatly complicated compared to bare metal. I am interested in finding out more about qubes though if I find the time for the desktop, mainly in terms of how deep they may have gone for sandboxing say a browser. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd _______________________________________________________________________ I have no idea why RTFM is used so aggressively on LINUX mailing lists because whilst 'apropos' is traditionally the most powerful command on Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool to help psychopaths learn to control their anger. (Kevin Chadwick) _______________________________________________________________________ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/686939.12569...@smtp141.mail.ir2.yahoo.com
