chrooting bind9
I'm setting up my new server, based on Debian Woody. I'm setting bind9 in a chroot jail. There are two chances to do this: 1) using parameter --chroot of 'start-stop-daemon' 2) using parameter -t of bind In both ways I have to use -u parameter of bind to change user, otherwise it can't get privileged resources as the 'domain' socket. Is there a difference in security with one method resspect to the other? (I used makejail from testing to build up the structure of the jail). Thank you in advance Stefano Salvi =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o= _|_ O Ing. Stefano Salvi mailto:[EMAIL PROTECTED] Viale L. Vaschi, 15mailto:[EMAIL PROTECTED] 46100 Mantova (MN)mailto:[EMAIL PROTECTED] +39 0376 321572 http://digilander.iol.it/salvis/ +39 0347 3820490http://www.salvi.mn.it/stefano/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Putting Apache, PHP, Tomcat and CGI in a jail
Hi, I'm currently trying to use makejail... it does not work very good. Simple way is copy /bin/bash with libraries (try ldd /bin/bash to find out which libs you need), so you can do chroot /your/chroot/dir. After do dpkg -L apache and copy contents of apache package to chroot, also repeat it with apache-common, tomcat, libapache-mod-php and so on. Then chroot to /your/chroot/dir and try start apache. System will tell you some nice words about missing libraries, and you copy needed libraries to chroot dir. It takes long time, but you will be sure that no duplicate files are copied, and only needed libs is in your jail. CGI works well, also SSL. Regards, Martynas Pn, 2003-01-03 19:19, Stefano Salvi raðë: I'm setting up my new server, based on Debian Woody. I have to host our school website. This site uses parts written in PHP4, and some CGIs. I also want to setup tomcat for a future possible use of JSP an servlets. I think it would be wise to put all this stuff in a chroot jail, but I wonder if it is at all possible. Makejail from testing has a script about apache, but does it support Tomcat and PHP4? And how about CGIs? Do I risk to duplicate all the system in the jail? Any suggestion? Thank you in advance Stefano Salvi =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o= _|_ O Ing. Stefano Salvi mailto:[EMAIL PROTECTED] Viale L. Vaschi, 15mailto:[EMAIL PROTECTED] 46100 Mantova (MN)mailto:[EMAIL PROTECTED] +39 0376 321572 http://digilander.iol.it/salvis/ +39 0347 3820490http://www.salvi.mn.it/stefano/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
How to get the current security updates on CD?
Hi. I'm doing a fresh Woody installation, and I want it to include a reasonably current set of security updates, but I also want to do the installation offline. How can I get the security updates in CD form? I went to http://www.debian.org/security, but I couldn't find anything like CD images. Thanks, KJ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Putting Apache, PHP, Tomcat and CGI in a jail
On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote: Hi, I'm currently trying to use makejail... it does not work very good. Could you elaborate more on this? I would like to know which issues have you come up with. Also, you might want to take a loot at the (recent) Appendix added to the Securing Debian Manual on how to setup a chroot environment for Apache: http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html Regards Javi msg08350/pgp0.pgp Description: PGP signature
Re: How to get the current security updates on CD?
On Sat, Jan 04, 2003 at 05:20:46PM -0500, [EMAIL PROTECTED] wrote: Hi. I'm doing a fresh Woody installation, and I want it to include a reasonably current set of security updates, but I also want to do the installation offline. How can I get the security updates in CD form? I went to http://www.debian.org/security, but I couldn't find anything like CD images. Options include: 1) Turn off every listening port on the machine before connecting to the internet, then use security.debian.org like normal. Protects against remote exploits outside the kernel, and is pretty easy to do for a limited number of machines. 2) Set up a private ftp/http mirror of security.debian.org and update the system from there before connecting it to the internet. Protects against all exploits to the extent that your mirror is current, and is probably easiest for a large number of machines. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Putting Apache, PHP, Tomcat and CGI in a jail
I'm setting up my new server, based on Debian Woody. I have to host our school website. This site uses parts written in PHP4, and some CGIs. I also want to setup tomcat for a future possible use of JSP an servlets. I think it would be wise to put all this stuff in a chroot jail, but I wonder if it is at all possible. Makejail from testing has a script about apache, but does it support Tomcat and PHP4? And how about CGIs? Do I risk to duplicate all the system in the jail? Any suggestion? Thank you in advance Stefano Salvi =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o= _|_ O Ing. Stefano Salvi mailto:[EMAIL PROTECTED] Viale L. Vaschi, 15mailto:[EMAIL PROTECTED] 46100 Mantova (MN)mailto:[EMAIL PROTECTED] +39 0376 321572 http://digilander.iol.it/salvis/ +39 0347 3820490http://www.salvi.mn.it/stefano/
chrooting bind9
I'm setting up my new server, based on Debian Woody. I'm setting bind9 in a chroot jail. There are two chances to do this: 1) using parameter --chroot of 'start-stop-daemon' 2) using parameter -t of bind In both ways I have to use -u parameter of bind to change user, otherwise it can't get privileged resources as the 'domain' socket. Is there a difference in security with one method resspect to the other? (I used makejail from testing to build up the structure of the jail). Thank you in advance Stefano Salvi =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o= _|_ O Ing. Stefano Salvi mailto:[EMAIL PROTECTED] Viale L. Vaschi, 15mailto:[EMAIL PROTECTED] 46100 Mantova (MN)mailto:[EMAIL PROTECTED] +39 0376 321572 http://digilander.iol.it/salvis/ +39 0347 3820490http://www.salvi.mn.it/stefano/
Re: Putting Apache, PHP, Tomcat and CGI in a jail
Hi, I'm currently trying to use makejail... it does not work very good. Simple way is copy /bin/bash with libraries (try ldd /bin/bash to find out which libs you need), so you can do chroot /your/chroot/dir. After do dpkg -L apache and copy contents of apache package to chroot, also repeat it with apache-common, tomcat, libapache-mod-php and so on. Then chroot to /your/chroot/dir and try start apache. System will tell you some nice words about missing libraries, and you copy needed libraries to chroot dir. It takes long time, but you will be sure that no duplicate files are copied, and only needed libs is in your jail. CGI works well, also SSL. Regards, Martynas Pn, 2003-01-03 19:19, Stefano Salvi rašė: I'm setting up my new server, based on Debian Woody. I have to host our school website. This site uses parts written in PHP4, and some CGIs. I also want to setup tomcat for a future possible use of JSP an servlets. I think it would be wise to put all this stuff in a chroot jail, but I wonder if it is at all possible. Makejail from testing has a script about apache, but does it support Tomcat and PHP4? And how about CGIs? Do I risk to duplicate all the system in the jail? Any suggestion? Thank you in advance Stefano Salvi =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o= _|_ O Ing. Stefano Salvi mailto:[EMAIL PROTECTED] Viale L. Vaschi, 15mailto:[EMAIL PROTECTED] 46100 Mantova (MN)mailto:[EMAIL PROTECTED] +39 0376 321572 http://digilander.iol.it/salvis/ +39 0347 3820490http://www.salvi.mn.it/stefano/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
How to get the current security updates on CD?
Hi. I'm doing a fresh Woody installation, and I want it to include a reasonably current set of security updates, but I also want to do the installation offline. How can I get the security updates in CD form? I went to http://www.debian.org/security, but I couldn't find anything like CD images. Thanks, KJ
Re: How to get the current security updates on CD?
In a stormy day a lighting flash occurred: it carried the message from [EMAIL PROTECTED]: § How can I get the security updates in CD form? § I went to http://www.debian.org/security, but I couldn't find anything § like CD images. You better add the following lines in /etc/apt/sources.list deb http://security.debian.org/ testing/updates main --only if you run sarge (testing) version of Debian GNU/Linux deb http://security.debian.org/ stable/updates main-- correct for woody then connect to Internet: root# apt-get update to refresh the list of packages availables on the source sites, then root# apt-get upgrade have fun! Ste § § Thanks, § § KJ § § § -- § To UNSUBSCRIBE, email to [EMAIL PROTECTED] § with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] § -- Debian GNU/Linux docet: User's Guide: http://www.debian.org/doc/manuals/users-guide/ Debian reference: http://www.debian.org/doc/manuals/debian-reference/ Debian reference Project at: http://qref.sf.net Please DO NOT send any attachment in proprietary format, such as either .doc or .ppt, BECAUSE: http://www.fsf.org/philosophy/no-word-attachments.html
Re: How to get the current security updates on CD?
On Sun, Jan 05, 2003 at 12:26:12AM +0100, SteX imagined: In a stormy day a lighting flash occurred: it carried the message from [EMAIL PROTECTED]: § How can I get the security updates in CD form? § I went to http://www.debian.org/security, but I couldn't § find anything § like CD images. You better add the following lines in /etc/apt/sources.list deb http://security.debian.org/ testing/updates main --only if you run sarge (testing) version of Debian GNU/Linux deb http://security.debian.org/ stable/updates main-- correct for woody then connect to Internet: root# apt-get update to refresh the list of packages availables on the source sites, then root# apt-get upgrade have fun! Ste Interesting -- I wasn't aware of the security updates to sarge/testing. If I am correct in assuming that the Security Team still don't *officially* support Testing/Sarge, then I would be interested in knowing who produces/maintains these security updates to Testing/Sarge? TIA, Raymond -- You deserve to be able to cooperate openly and freely with other people who use software. You deserve free software. -Richard M. Stallman, Free Software Foundation, http://www.fsf.org pgp86a7GZYvDg.pgp Description: PGP signature
Re: Putting Apache, PHP, Tomcat and CGI in a jail
On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote: Hi, I'm currently trying to use makejail... it does not work very good. Could you elaborate more on this? I would like to know which issues have you come up with. Also, you might want to take a loot at the (recent) Appendix added to the Securing Debian Manual on how to setup a chroot environment for Apache: http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html Regards Javi pgpzDZbKKFq9b.pgp Description: PGP signature
Re: chrooting bind9
begin Stefano Salvi quote on Fri, Jan 03, 2003 at 06:19:53PM +0100: There are two chances to do this: 1) using parameter --chroot of 'start-stop-daemon' 2) using parameter -t of bind In both ways I have to use -u parameter of bind to change user, otherwise it can't get privileged resources as the 'domain' socket. Is there a difference in security with one method resspect to the other? I don't think so. I use the -t parameter of bind myself: http://cryptio.net/~ferlatte/config M pgpY9FmOGWXXj.pgp Description: PGP signature
Re: Putting Apache, PHP, Tomcat and CGI in a jail
A word of caution to chrooters, make sure when a library gets updated for security you copy the updated library into the jail and then restart all jailed applications... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #47: Cosmic ray particles crashed through the hard disk platter
Re: How to get the current security updates on CD?
Quoting Raymond Wood ([EMAIL PROTECTED]): Interesting -- I wasn't aware of the security updates to sarge/testing. If I am correct in assuming that the Security Team still don't *officially* support Testing/Sarge, then I would be interested in knowing who produces/maintains these security updates to Testing/Sarge? http://www.debian.org/security/faq#testing states: Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, the security secretaries will try to fix problems in testing and unstable after they are fixed in the stable release. -- Cheers, Skud: Real Programmers don't use Python. Rick Moen Thorfinn: Real Programmers don't use *whitespace*. [EMAIL PROTECTED]
Someone at works likes you. mckhw
We have been hired to contact you because someone you know is interested in you. Please follow the link below to find out who. http://www.sliaba.com/5/ No more email here http://www.sliaba.com/nomore.php lmbitexuvxcyawuni
Re: How to get the current security updates on CD?
On Sat, Jan 04, 2003 at 05:20:46PM -0500, [EMAIL PROTECTED] wrote: Hi. I'm doing a fresh Woody installation, and I want it to include a reasonably current set of security updates, but I also want to do the installation offline. How can I get the security updates in CD form? I went to http://www.debian.org/security, but I couldn't find anything like CD images. Options include: 1) Turn off every listening port on the machine before connecting to the internet, then use security.debian.org like normal. Protects against remote exploits outside the kernel, and is pretty easy to do for a limited number of machines. 2) Set up a private ftp/http mirror of security.debian.org and update the system from there before connecting it to the internet. Protects against all exploits to the extent that your mirror is current, and is probably easiest for a large number of machines. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Re: Putting Apache, PHP, Tomcat and CGI in a jail
On Fri, 03 Jan 2003 18:19:43 +0100 Stefano Salvi [EMAIL PROTECTED] wrote: Makejail from testing has a script about apache, but does it support Tomcat and PHP4? And how about CGIs? It supports php and CGIs, I've tested it with a search engine with php/mysql, I'm about to use it for phpnuke. To help apache access the needed files you can put in the option testCommandsOutsideJail some commands which request these pages (wget ...) You can include some packages like php modules in the option packages or directories/files with forceCopy to move these files and the shared libs they need, if you aren't sure the test commands access all the files you'll need, and you won't have to update the jail when you add a feature which needs a new file (for example the directories with apache modules, or all phpnuke) For tomcat or anything else, there is currently no reason why it shouldn't work, there may be some bugs but no unsupported features afaik. Alain
Re: Putting Apache, PHP, Tomcat and CGI in a jail
On Sun, Jan 05, 2003 at 01:16:31AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote: Hi, I'm currently trying to use makejail... it does not work very good. Could you elaborate more on this? I would like to know which issues have you come up with. Also, you might want to take a loot at the (recent) Appendix added to the Securing Debian Manual on how to setup a chroot environment for Apache: http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html Cool, here are some more links, http://penguin.epfl.ch/chroot.html apache chroot http://www-106.ibm.com/developerworks/linux/library/l-freevsd.html http://www.freevsd.org/ freeVSD is an advanced web-hosting platform. It allows multiple Virtual Servers to be created on a single hosting server. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: How to get the current security updates on CD?
On Sat, Jan 04, 2003 at 05:20:46PM -0500, [EMAIL PROTECTED] wrote: Hi. I'm doing a fresh Woody installation, and I want it to include a reasonably current set of security updates, but I also want to do the installation offline. How can I get the security updates in CD form? I went to http://www.debian.org/security, but I couldn't find anything like CD images. Security updates are periodically folded into the 'stable' distribution as part of point releases. The most recent point release was 3.0r1, released December 16, 2002. So a CD of 3.0r1 will include a reasonably current set of security updates. For other updates made in the past few weeks, you must get them from security.debian.org as usual. -- - mdz