Re: Grsecurity, ssh and postfix

2003-12-09 Thread Javier Fernández-Sanguino Peña
On Mon, Dec 08, 2003 at 09:30:04AM +0100, Domonkos Czinke wrote: > Hi, > > I think you won't have to make a unique jail for ssh, you can use the > pam module which is designed especially for this. Unfortunately AFAIK > debian does not support that module, so you will have to compile your > own pac

Re: Grsecurity, ssh and postfix

2003-12-09 Thread Javier Fernández-Sanguino Peña
On Mon, Dec 08, 2003 at 09:30:04AM +0100, Domonkos Czinke wrote: > Hi, > > I think you won't have to make a unique jail for ssh, you can use the > pam module which is designed especially for this. Unfortunately AFAIK > debian does not support that module, so you will have to compile your > own pac

Re: Grsecurity, ssh and postfix

2003-12-09 Thread Florian Weimer
Domonkos Czinke wrote: > I think you won't have to make a unique jail for ssh, you can use the > pam module which is designed especially for this. Unfortunately AFAIK > debian does not support that module, so you will have to compile your > own packages. Btw you can switch off the double chroot re

Re: Grsecurity, ssh and postfix

2003-12-09 Thread Florian Weimer
Domonkos Czinke wrote: > I think you won't have to make a unique jail for ssh, you can use the > pam module which is designed especially for this. Unfortunately AFAIK > debian does not support that module, so you will have to compile your > own packages. Btw you can switch off the double chroot re

RE: Grsecurity, ssh and postfix

2003-12-08 Thread Domonkos Czinke
Grsec Customize > Filesystem Protections > Chroot jail restrictions (NEW) > [ ]Deny double-chroots Domonkos Czinke -Original Message- From: Arnaud Fontaine [mailto:[EMAIL PROTECTED] Sent: Saturday, December 06, 2003 3:37 PM To: debian-security@lists.debian.org Subject: Re: Grsec

RE: Grsecurity, ssh and postfix

2003-12-08 Thread Domonkos Czinke
Grsec Customize > Filesystem Protections > Chroot jail restrictions (NEW) > [ ]Deny double-chroots Domonkos Czinke -Original Message- From: Arnaud Fontaine [mailto:[EMAIL PROTECTED] Sent: Saturday, December 06, 2003 3:37 PM To: [EMAIL PROTECTED] Subject: Re: Grsecurity, ssh an

Re: Grsecurity, ssh and postfix

2003-12-06 Thread Arnaud Fontaine
On Fri, 5 Dec 2003 21:45:01 +0100 Florian Weimer <[EMAIL PROTECTED]> wrote: > The privilege separation code invokes chroot(), too. > > Is there a "do not create any new file descriptors" process attribute > in grsecurity? If there is, OpenSSH should toggle instead of calling > chroot() to an emp

Re: Grsecurity, ssh and postfix

2003-12-06 Thread Arnaud Fontaine
On Fri, 5 Dec 2003 21:45:01 +0100 Florian Weimer <[EMAIL PROTECTED]> wrote: > The privilege separation code invokes chroot(), too. > > Is there a "do not create any new file descriptors" process attribute > in grsecurity? If there is, OpenSSH should toggle instead of calling > chroot() to an emp