[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] chrooting sks.
|
From: |
Yaron Minsky |
|
Subject: |
Re: [Sks-devel] chrooting sks. |
|
Date: |
Thu, 30 Sep 2004 15:45:39 -0400 |
On Thu, 30 Sep 2004 12:52:05 -0600 (MDT), Chris Kuethe
<address@hidden> wrote:
> On Thu, 30 Sep 2004 address@hidden wrote:
>
> You should be able to hack sks to do a simple chroot()/setuid(). It wasn't
> terribly hard to do that to PKS, but then again, I don't really grok OCaml.
> Plus, I'm still trying to understand the best way to put a global into sks
> so that everything that logs can be {en,dis}abled.
The Settings module (settings.ml) has pretty much all of the mutable
settings. The Common module, where logging is defined, already looks
there for whether to enable debugging messages at all (Settings.debug)
and what the debug level is (Settings.debuglevel). I would tink
that's where you should put the settings.
> Granted, that means you need to start it as root so it can chroot(), but sks
> can then drop privileges immediately afterwards. Perhaps it can refuse to run
> as root.
>
> Chrooting things can have a fairly high PITA factor, especially if you want
> to use DNS lookups on the fly and send out mail. Actually, DNS isn't that
> hard - just make sure an appropriate /etc/resolv.conf appears inside the
> jail, and you should be good to go.
>
> CK
>
> --
> Chris Kuethe, GCIA CISSP: Secure Systems Specialist - U of A CNS
> office: 157 General Services Bldg. +1.780.492.8135
> address@hidden
>
> GDB has a 'break' feature; why doesn't it have 'fix' too?
>
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/sks-devel
>