From: Crispin Cowan (crispinnovell.com)
Date: Thu Aug 17 2006 - 20:53:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Henning Hucke wrote:
> Which system is obviously marking such mails as SPAM and why!?
>
I have no idea :(

> On Sat, 5 Aug 2006, Crispin Cowan wrote:
>
>> The protections offered by chroot are redundant with the protections
>> offered by AppArmor.
>>
> Don't forget to mention that he should find all and every hard/soft link
> to the server and refer to the AppArmor profile (is this possible?
> Otherwise *copy* the Profile <shiver/>) for the case that a link instead
> of the "original" binary is used. <sigh/>
>
Well, no, that is not correct.

AppArmor offers no protection for unconfined processes. You cannot force
someone with an unconfined shell to only execute programs under an
AppArmor profile, because they can just copy the program itself to
another place and run it. If you want to defend your system against a
shell user, you must confine their shell in the first place.

If you have confined their shell, then you only give them execute
permissions to the programs you want them to be able to execute, and
under the policies you desire. You don't need to worry about strange
aliases, because the confined shell has no permission to execute them
anyway.

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
     Hack: adroit engineering solution to an unanticipated problem
     Hacker: one who is adroit at pounding round pegs into square holes

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]