Christian Haugan Toldnes writes: > Christos Panagiotakis wrote: >> Hello people (again). >> >> TSL claims to be and true it is a very secured linux distro. What >> about to make it >> a litle more secure? On most cases when a machine goes compromised is >> about 80% locally and not remote damage. Eg from a user who has already an >> account on the machine. >> >> Searching the internet I found a tool which automatically makes Jail >> (chroot) enviroment >> for the local users. And I am wondering if this could be useful for >> Trustix Linux to >> put it in the update section or in the next TSL release like a tool or >> with help with a automated "useradd" script which will make "ready to >> run" jailed users. >> >> Any opinions on this ? > > What happens when you upgrade your system? Will the files available to > the chrooted users still be outdated? In all such jailing concepts I > have seen, the jail is static and will over time become unsecure. Not to > the system, but to the users.
about that subject ive found something quite nice... look at chroot_safe :) it let you skip the copy to jail of the shared libs youll still have to create fifos and so... but its already a step ahead :P cheers Fremen PS: u can get it already packaged from tsl.chung.li > > This means that although it limits the problem, it also places your > users in a situation where they use outdated software, and may have > their accounts compromised, since the tools they are using are insecure. > > Anyone having local users must be very much aware of the risks. While > chrooting might help, it will only make things worse if not completely > integrated into the rest of the system. All chroots must be updated > every time the system changes via swup. I will ve very surprised if this > tool does in fact do that. > > > > > -- > Christian H. Toldnes > Trustix Developer _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
