* on the Sun, Jan 05, 2003 at 11:51:44AM +0100, John Morgan Salomon wrote: > Seriously: I don't know whether Linux supports it, but > you should look into either chrooting your web services > (all your services, for that matter) or even running them > in a jail.
It does, of course. "apt-get install jailtool". HP has an even more sophisticated jail-solution for linux called "compartments". We normally compile the kernel using grsec http://www.grsecurity.net which provides several different protections in excess of the normal possibilities: ACLs, non-exec stack, chroot-restrictions, auditing- features, randomized IP-IDs, randomized PIDs and so on. This puts Linux up to what you otherwise only get with OpenBSD and even more. Most importantly, the non-exec stack will render most buffer-overflow attacks commonly used by script-kiddies useless (Note: you _can_ overflow them nevertheless, but it takes more skill. And heap-based overflows will work also). Which gives us just the few extra days we need to patch our systems. Cheers Seegras -- Those who give up essential liberties for temporary safety deserve neither liberty nor safety. -- Benjamin Franklin ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
