IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] running freeswan as user nobody - anyone?

From: Giacomo Mulas (gmulas_at_ca.astro.it)
Date: Fri Jun 28 2002 - 09:29:28 CEST

On Thu, 27 Jun 2002, Paul Wouters wrote:

> Of course, I'm a strong believer of "there should only be "root" on a
> firewall system :)

Well, I don't completely agree... I think "there should be no other
_interactive_ user than root" on a firewall system. Running any sort of
daemon which can be remotely contacted (and henceforth possibly remotely
exploited to break in) as an unprivileged user, chrooted if at all
possible, is always a very good idea, in my book. At very least, if
bad things happen, it buys you some time to react and limit damage as the
Bad Guys (TM) look for a way to escalate their privileges. At least, you
may be fast enough to pull the plug before they root your box.

But I believe this is actually what you meant by "there should only be
root"... :)

Just my 2 (Euro)cents...
Giacomo 

-- 
_________________________________________________________________

Giacomo Mulas <gmulas_at_ca.astro.it, giacomo.mulas_at_tin.it>
_________________________________________________________________

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 248     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST