On Thu, 27 Jun 2002, shazad malik wrote:
> I was wondering if someone has run ipsec as the user "nobody"? Is it a good
> idea! My idea is to run a ipsec in a chroot environment! Just in case, if
> some has access to the box! he will be boxed within a certain area!
>
> Has anyone, implemented this sceranio and whether it a good idea? Any
> thoughts? ideas? sharing notes?
Hmm, there are two things that are worth guarding on an ipsec firewall.
One is the ipsec.secrets file (needed by ipsec) and the other is the
actual decrypted traffic (will be seen by ipsec subsystem)
The second can be gotten by having the first, and the encrypted traffic.
As far as I can tell, you will gain absolutely nothing. If pluto would
contain some bug allowing remote access, you already have all you want
from the firewall, and you dont really care about the rest.
Ofcourse, I'm a strong believer of "there should only be "root" on a
firewall system :)
Paul
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST