[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Cobalt to provide compensation for server hack?
- Subject: RE: [cobalt-users] Cobalt to provide compensation for server hack?
- From: "Dan Mahoney, System Admin" <danm@xxxxxxxxxxxxxxx>
- Date: Thu Feb 22 13:38:31 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
People sit and discuss whether cobalt *knew* bind was insecure the whole
time. However, even if insecure, there are basic things you can do to
secure it. Here's a couple.
1. DON'T RUN IT AS ROOT. The cobalts, even with the latest revisions,
still run bind as root. Why? No sensible user will run it as root. The
basic rule under unix is "run as little as root as possible".
2. RUN IT IN A SANDBOX. This means that once it runs, it makes a system
chroot() call that means it is basically unable to see outside its own
directory (or directory tree). This is simple to do with MOST versions of
bind, and affects how bind runs very little.
That is, IF bind is the problem. If it's something else, I haven't seen
it discussed yet, except for the one user who mentioned something about a
proftpd .pkg I'd love to see an answer here, if anyone knows it.
-Dan Mahoney
--
"Blargy Frap!"
-mtreal, efnet #macintosh channel, 8.10.98, Approx 3AM
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Web: http://prime.gushi.org
finger danm@xxxxxxxxxxxxxxx
for pgp public key and tel#
---------------------------