Preemptive strategies

Chris Buxton cbuxton at menandmice.com
Fri Sep 19 08:30:12 PDT 2008


On Sep 19, 2008, at 12:40 AM, Jan Dvorak wrote:
> On Thursday 18 September 2008 18:58:31 Chris Buxton wrote:
>> I'm not familiar with 'runas' for Linux. (There's a Windows command  
>> of
>> that name...) On the surface, it sounds like 'sudo'.
>
> runas is much simpler and merely starts a process with given user,  
> group
> and optionally after chroot call.

OK then. It sounds like we can try using this to confine services to  
chroot jails, although a combination of 'sudo', 'chgrp', and 'chroot'  
would work as well. We still need to use libcap2 to assign the right  
to open a privileged port, as needed, and there may be more. Each  
service started this way will need to be thoroughly tested.

We also need to configure the correct security settings to make sure  
that processes don't break out of chroot jails.

Chris Buxton
Professional Services
Men & Mice




More information about the hlfs-dev mailing list