Re: goals for hardening Debian: ideas and help wanted
On 24 Apr 2014 10:58, "Andrew McGlashan" < andrew.mcglas...@affinityvision.com.au> wrote: > > On 24/04/2014 5:49 PM, Lesley Binks wrote: > > Apologies for the top posting, I'm writing this from my phone. > > I get a 403 when trying to access via Orbot/Orweb on Android 4.1 phone. > > Amusing. > > It works for me [Orbot/Orweb -- 4.3 on both i9300 and i9505], did you > get the case right? > > Strangely though my i9300 wouldn't use Tor properly until I rebooted it; > Orbot said it was fine, but Orweb gave my public IP address! It was > fine after a reboot, but I don't know why that was necessary. > Thanks Andrew Just retried the link in an Orbot/Orweb combo and the page came up okay. Kind regards Lesley
Re: goals for hardening Debian: ideas and help wanted
Marko Randjelovic: > On Tue, 29 Apr 2014 11:52:14 + > Patrick Schleizer wrote: > >> Marko Randjelovic: >>> I was thinking about some kind >>> of wizard: >>> >>> - create a chroot if doesn't already exist >>> - create a launcher for your DE >>> - create a shell script to run a program from terminal or a simple WM >>> >>> hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args" >> >> chroot is not a security feature? >> >> As far I understand, chroots in Debian/Fedora aren't jails. >> >> Source: >> https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/ >> >> > >> it is not really a security feature, it is closer to what we would call a >> hardening feature. > > Well, we have the word "hardening" in the subject, I'm not sure > what OP meant, probably he ment more "security" then "hardening", > but grsecurity which is mentioned in wiki[1] contains features to > prevent breaking out of chroot, so combined with grsecurity chroot > might be called a security feature? > > [1] https://wiki.debian.org/Hardening/Goals I see. Sure, if possible, that would be an interesting security feature! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/535fe943.6070...@riseup.net
Re: goals for hardening Debian: ideas and help wanted
On Tue, 29 Apr 2014 11:52:14 + Patrick Schleizer wrote: > Marko Randjelovic: > > I was thinking about some kind > > of wizard: > > > > - create a chroot if doesn't already exist > > - create a launcher for your DE > > - create a shell script to run a program from terminal or a simple WM > > > > hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args" > > chroot is not a security feature? > > As far I understand, chroots in Debian/Fedora aren't jails. > > Source: > https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/ > > > it is not really a security feature, it is closer to what we would call a > hardening feature. Well, we have the word "hardening" in the subject, I'm not sure what OP meant, probably he ment more "security" then "hardening", but grsecurity which is mentioned in wiki[1] contains features to prevent breaking out of chroot, so combined with grsecurity chroot might be called a security feature? [1] https://wiki.debian.org/Hardening/Goals -- http://markorandjelovic.hopto.org One should not be afraid of humans. Well, I am not afraid of humans, but of what is inhuman in them. Ivo Andric, "Signs near the travel-road" -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140429184222.3296b...@eunet.rs
Re: goals for hardening Debian: ideas and help wanted
> > chroot is not a security feature? > > As far I understand, chroots in Debian/Fedora aren't jails. > > Source: > https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/ > In deed a Linux chroot - environment is not a jail. You could use sth. like grsecurity to harden Linux chroot environments; or any MAC (Mandatory Access) system like SELinux. You may also read a bit about the security of chroot at http://www.elstel.org/xchroot/ (the first two sections). -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/6da36cf6-1942-45b3-831f-4689d2021...@gmail.com
Re: goals for hardening Debian: ideas and help wanted
Marko Randjelovic: > I was thinking about some kind > of wizard: > > - create a chroot if doesn't already exist > - create a launcher for your DE > - create a shell script to run a program from terminal or a simple WM > > hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args" chroot is not a security feature? As far I understand, chroots in Debian/Fedora aren't jails. Source: https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/535f926e.3080...@riseup.net
Re: goals for hardening Debian: ideas and help wanted
On Tue, 29 Apr 2014 11:35:26 +0800 Paul Wise wrote: > On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote: > > > - security patches should be clearly marked as such in every *.patch > > file > > That sounds like a good idea, could you add it to the wiki page? I added this: "Debian policy should require that in every source package all security packages should be clearly marked as such in standard and easily parsable way with optional further references." > > > - easy create and run programs from chroot and alternate users > > Could you detail what you mean by this? It sounds like you want either > virtual machines or something like docker.io: > > https://packages.debian.org/sid/docker.io Cencerely, I never heard about Docker before, I didn't mean about VMs and I meant about chrooting. I was thinking about some kind of wizard: - create a chroot if doesn't already exist - create a launcher for your DE - create a shell script to run a program from terminal or a simple WM hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args" > > > - apt-get should automaticaly check checksums > > That happens now, if you find an instance where it does not, please > file a severity serious bug report on apt with enough detail for the > maintainers to debug and fix it. > > https://www.debian.org/Bugs/Reporting > I didn't know it, does apt-get/aptitude/synaptic do complete checks? 1. verify Release file signature 2. verify checksums of repo files 3. verify checksums of individual .deb files I remmember some time ago I edited a file with hexedit (after apt-get downloaded it) and tried to install it with apt-get and it didn't complain. -- http://markorandjelovic.hopto.org One should not be afraid of humans. Well, I am not afraid of humans, but of what is inhuman in them. Ivo Andric, "Signs near the travel-road" -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140429122053.2c7a5...@eunet.rs