Enterprise Unix Roundup — Sun's DDoS PR Attack – page 2
Digg
DZone
Reddit
Slashdot
StumbleUpon
del.icio.us
Facebook
FriendFeed
Furl
| Main | In Other News | Security Roundup | Tips of the Trade |
» We're not particularly financial news minded, so the big news from the SCO Wars this week, that investor BayStar had gotten SCO to buy back all of its preferred shares in the company for $13 million in cash and more than 2 million shares of common stock, left us non-plussed. On the one hand, SCO avoided losing all of the investment BayStar made in it, but on the other it seems to have a lot less in the way of a war chest with which to sue the world. Interpretations of the news fell along the lines of "mainstream reporters" (who seemed to look at it like "SCO has more latitude now that it doesn't have any preferred shares floating around out there" and "SCO hasn't, at least, been pauperized") vs. the Linux enthusiast press (who began to cry "death spiral!" as soon as the news hit the wires). The stock market responded with a slight lift in SCO's trading price. We welcome any Roundup readers with a head for markets to spell it out for us while we, uh, make some shell scripts more portable or something.
» Novell announced the second beta release of Mono, an open source implementation of Microsoft's .NET for Linux and Unix. The beta represents the last release before Mono 1.0 is to be released on June 30. The ins and outs of the free/open source software community's uneasy relationship with .NET was covered just this week, too. Maybe more than an outside observer wants to know about the internecine struggles of feuding developer camps.
» A new Gartner report shows Linux eating at Unix's relational database market, even as the overall market grew 158 percent from 2002 to 2003. Interestingly enough, Oracle knocked IBM out of the top sales spot for Linux in that area.
» Intel released the first 802.11g Centrino drivers for Linux. Your Linux-using laptop clients probably won't see much benefit from the new drivers for a while, though. The company cautions that they're of pre-beta quality at this point.
Security Roundup
- Apple released Mac OS X Update 10.3.4, fixing a collection of bugs in NFS, logging, and assorted other packages.
- Debian patched rsync to fix a directory traversal bug.
- SGI released Advanced Linux Environment security update #20, which features a smorgasbord of patches to rsync, cadaver, and cvs. SGI also released Advanced Linux Environment 3 Security Update #2, which covers a similar set of problems as well as a vulnerability in OpenSSL.
Tips of the Trade
By Carla SchroderSecuring any publicly accessible server, such as Web, mail, or DNS, always presents a challenge. Using servers designed to be secure, like Apache, Postfix, and djbdns, is important. But you still have to leave a door open to the world at large, and the Internet is full of automated attack tools running 24x7.
Running a server in a chroot jail adds one more layer of protection. While it won't keep an attacker out, it will limit the scope of an attacker's activities to the inside of the chroot jail. chroot creates a new root filesystem that is isolated from the rest of the system. Any directory can be the root of a chroot jail, just by doing this:
# mkdir temp # chroot temp chroot: /bin/bash: No such file or directory |
Whoops. This illustrates the hard part of using a chroot jail: You must first create your directory structure and copy all the necessary files, executables, and libraries into it. Because a chroot jail is a self-contained environment, you must ensure it has everything it needs.
Some servers, such as Postfix, have built-in chroot support. To enable Postfix's chroot jail, all you do is say 'y' in the chroot column in master.cf:
/etc/postfix/master.cf:
# =============================================================
# service type private unpriv chroot wakeup maxproc command
# (yes) (yes) (yes) (never) (100)
# =============================================================
smtp inet n - y - - smtpd
|
Another way to enable a chroot jail for a server is by editing its startup script. This sample /etc/init.d/named shows how BIND does it:
# Start daemons.
echo -n "Starting named: "
daemon /usr/local/sbin/named -u named -t /chroot/named -c /etc/named.conf
|
Like any security measure, chroot jails are not impregnable. But they do add a useful layer of protection. The best resource for learning more about chroot jails is your server documentation.
Carla Schroder writes the Tips of the Trade section of Enterprise Unix Roundup. She also appears on Crossnodes every Wednesday, and is the author of the site's popular Scripting Clinic, which deals with Unix/Linux scripting issues.
>> To Main
Solid state disks (SSDs) made a splash in consumer technology, and now the technology has its eyes on the enterprise storage market. Download this eBook to see what SSDs can do for your infrastructure and review the pros and cons of this potentially game-changing storage technology.
