Firewalls: Re: http server for bastion host

Firewalls
(February 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: http server for bastion host
From:	Peter da Silva <peter @ baileynm . com>
Date:	Tue, 10 Feb 1998 06:42:10 -0600 (CST)
To:	firewalls @ greatcircle . com
In-reply-to:	<199802100516 . VAA06300 @ yginsburg . el . nec . com> from "Bob De Witt" at Feb 9, 98 09:16:48 pm

> > But, damn it, we've established that CERN HTTPD *is* one of those programs
> > already. What's the point in building a jail when you lock the keys inside?

> That being the case, how are the keys 'inside'?  The jailer controls the 
> whole machine from the 'root-console', yes???

Names removed to protect the guilty:

	Player 1: "I like CERN better than Apache, and it's more secure."
	Player 2: "But CERN doesn't give up root privilege reliably."
	Player 1: "That's OK, I run it chrooted."
	Player 3: "But there's ways out of a chrooted jail if you're root."
	Player 1: "So don't put buggy setuid programs in the jail."

Whereupon I point out that there's no need... CERN *is* one. "The keys are
already in the jail". Makes more sense now?

References:

Re: http server for bastion host
From: rdew @ el . nec . com (Bob De Witt)

Indexed By Date	Previous:	Re: SSL Proxies revisited From: Bennett Todd <bet @ rahul . net>
Indexed By Date	Next:	data on market shares? From: Stefan Keller <skeller @ cscploenzke . de>
Indexed By Thread	Previous:	Re: http server for bastion host From: rdew @ el . nec . com (Bob De Witt)
Indexed By Thread	Next:	Re: http server for bastion host From: lists @ lina . inka . de (Bernd Eckenfels)