'Re: [lids] EXEC Domain README'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lids-user
Subject:    Re: [lids] EXEC Domain README
From:       Kevin H Kamel <kamelkev () glue ! umd ! edu>
Date:       2000-11-28 22:30:16
[Download RAW message or body]

yeah it does. I gotta test it out :)

On Tue, 28 Nov 2000, Georg Zoeller wrote:

> sound good.
> 
> ----- Original Message ----- 
> From: "Huagang Xie" <xie@gnuchina.org>
> To: "LIDS Mailing List" <lids@egroups.com>
> Sent: Tuesday, November 28, 2000 5:12 PM
> Subject: [lids] EXEC Domain README
> 
> 
> > Hi,
> > 
> > EXEC DOMAIN
> > 
> > concept:
> >         A exec domain is a set of directories that a process can be
> > running in.
> >         any operation outside this domain is unreachable.
> > 
> > example,
> >         httpd's exec domain is
> >                 * READ /etc/httpd       -> read the config files.
> >                 * WRITE /home/httpd/    -> the working dir.
> >                 * WRITE /var/log/httpd/ -> the httpd log.
> >                 * READ /usr/lib  --> for read the share lib.
> >                 * READ /lib/     --> for read the share lib.
> >                 * READ /etc/ld.so.cache -> for read the share lib.
> > 
> > So, the httpd is running from this domain and after it start, it can not
> > read/write other files/dirs than this directories.
> > 
> > Benifit,
> >         any expoit the httpd and its children can not get out of this
> > domain. so the intruder can only touch the domain but not other
> > directories.
> > 
> > Usages,
> > 
> > the new lidsadm with the lids-0.9.11 add support the "-d" to support the
> > domain setting, for example,
> > 
> >         lidsadm -A -s /usr/sbin/httpd -d -o /etc/httpd -j READ
> >         lidsadm -A -s /usr/sbin/httpd -d -o /home/httpd/ -j WRITE
> >         lidsadm -A -s /usr/sbin/httpd -d -o /var/log/httpd/ -j WRITE
> >         lidsadm -A -s /usr/sbin/httpd -d -o /usr/lib -j READ
> >         lidsadm -A -s /usr/sbin/httpd -d -o /lib -j READ
> >         lidsadm -A -s /usr/sbin/httpd -d -o /etc/ld.so.cache -j READ
> > 
> > NOTE:  I do not test the httpd's exec domain! 
> > 
> > XIE.
> > 
> > -- 
> > Happy Hacking
> > 
> > Linux Intrusion Detection System  
> > http://www.lids.org/
> > 
> > 
> > 
> > 
> 
> 
> 
> 
> 
> 


-------------------------- eGroups Sponsor -------------------------~-~>
Create your business web site your way now at Bigstep.com.
It's the fast, easy way to get online, to promote your business,
and to sell your products and services. Try Bigstep.com now.
http://click.egroups.com/1/9183/5/_/18396/_/975450634/
---------------------------------------------------------------------_->

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic