On Thu, Jun 27, 2002 at 05:20:30PM +0200, Paul Wouters was heard to remark:
> On Thu, 27 Jun 2002, shazad malik wrote:
>
> > I was wondering if someone has run ipsec as the user "nobody"? Is it a good
> > idea! My idea is to run a ipsec in a chroot environment! Just in case, if
> > some has access to the box! he will be boxed within a certain area!
> >
> As far as I can tell, you will gain absolutely nothing. If pluto would
> contain some bug allowing remote access, you already have all you want
> from the firewall, and you dont really care about the rest.
??
If properly configured, such a theoretical hack would still prevent
the hacker from getting at the private keys, changing (or even reading)
ipsec.conf, or other files on the compromised system (such as the
password file, or changing the dns entries).
So I would think that a properly partitioned box would still limit
the damage done during compromise; so I don't understand what you mean
by 'gain absolutely nothing'.
--linas
-- pub 1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org> PGP Key fingerprint = 8305 2521 6000 0B5E 8984 3F54 64A9 9A82 0104 5933 _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST