Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Re: Openssh + security
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Wed, 14 Dec 2005 11:01:40 -0800
  • Message-id: <43A06C14.9040604@xxxxxxxxxx>
Dirk Schreiner wrote:
> Crispin Cowan wrote:
>
>> on the gateway machine. The latter is just as horrible for the security
>> of your firewall as is running X on your firewall. Unless you use
>> AppArmor :)
>>
> Oh,
> you can chroot apache fairly well.
>
True, if you use any of a variety of confinement mechanisms (chroot,
virtual machines (Xen, VMware, UML), AppArmor, SELinux) then you can
achieve sufficient confinement of the web server that your firewall
could be safe enough. The issue is how easy or difficult it is to
achieve that, and to achieve it correctly because if the confinement has
holes, then your security is at risk again. Chroot, in particular, has
issues with being escapable if it is not configured correctly, so be
careful.

Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com


< Previous Next >
Follow Ups