The protections offered by chroot are redundant with the protections offered by AppArmor. You can use both at the same time, and stuff will "just work". However, the combination is slightly *less* secure than AppArmor alone. Details here http://lists.suse.com/archive/suse-security/2006-Jul/0026.html So do this: * If you *must* use chroot, then use AA anyway, as the combination is more secure than chroot alone. * If you don't have to use chroot, then turn chroot off and use AA by itself, as AA alone is more secure than AA+chroot. Crispin Miguel ALBUQUERQUE wrote:
I was just wondering how AppArmor and vsftpd will react if one enables the vsftpd option chroot_local_user=YES on /etc/vsftpd.conf
Correct me if I am wrong, but as much as i understood, AA is for protecting data integrety as chroot jails for creating user confinement. In that case the combination of both will be a very good compromise in security vs performance or it's just a bit overkill ?
*Miguel Albuquerque** Network Administrator* signature http://www.codalis.ch/
DISCLAIMER - This message is intended for the use of the named person only. The information contained in this E-mail is confidential and any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited. This message does not represent a formal commitment by Codalis SA. Codalis SA is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
-- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes