[prev in list] [next in list] [prev in thread] [next in thread]
List: fwtk-users
Subject: Re: [fwtk-users] chrooted environment
From: ArkanoiD <ark () eltex ! net>
Date: 2007-02-11 1:10:25
Message-ID: 20070211011025.GA27822 () eltex ! net
[Download RAW message or body]
Another thing i am thinking about is reasonable systrace/selinux
policies for proxies. Just a matter of time..
(more after the quoted text)
On Fri, Feb 09, 2007 at 09:05:07AM -0800, David Lang wrote:
> >c) configuration reload - seems that chroot should be done after
> >fork, not before, anyways.. it works this way now. and i do not
> >think it is less secure as configuration file is left ourside the chroot,
> >as intended.
>
> two possible approaches
>
> 1. (what you seem to suggest)
>
> A. start
> B. read config
> C. listen
> D. accept connection
> E. fork
> F. chroot
> G. handle connection
>
> 2.
>
> A. start
> B. read config
> C. chroot
> D. listen
> E. accept connection
> F. fork
> G. handle connection
>
> while option 2 doesn't allow for a re-read of the config, I think it's more
> secure becouse it doesn't do anything with the outside world until after
> the chroot, so any vunerabilities in the initial connection code is limited.
Yes, and i there will be any new bugs in , say, resolver library..
I'll think on "safedaemon" option ;-)
_______________________________________________
Fwtk-users mailing list
Fwtk-users@buoy.com
http://www.buoy.com/mailman/listinfo/fwtk-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic