From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id LAA00347; Tue, 8 Apr 2003 11:00:57 +0200 (MET DST) X-Authentication-Warning: pauillac.inria.fr: majordomo set sender to owner-caml-list@pauillac.inria.fr using -f Received: (from xleroy@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id LAA00335 for caml-list@pauillac.inria.fr; Tue, 8 Apr 2003 11:00:56 +0200 (MET DST) Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id JAA26096 for ; Mon, 7 Apr 2003 09:15:08 +0200 (MET DST) Received: from ajax.cs.uga.edu (ajax.cs.uga.edu [128.192.251.3]) by concorde.inria.fr (8.11.1/8.11.1) with ESMTP id h377F7508750 for ; Mon, 7 Apr 2003 09:15:07 +0200 (MET DST) Received: from cs.uga.edu (ajax.cs.uga.edu [128.192.251.3]) by ajax.cs.uga.edu (8.9.3/8.9.3) with ESMTP id DAA14842 for ; Mon, 7 Apr 2003 03:15:03 -0400 (EDT) To: OCaml List Subject: Re: [Caml-list] Our shrinking Humps From: Ed L Cashin Date: Mon, 07 Apr 2003 03:15:04 -0400 In-Reply-To: <20030407092308Q.garrigue@kurims.kyoto-u.ac.jp> (Jacques Garrigue's message of "Mon, 07 Apr 2003 09:23:08 +0900") Message-ID: <87istqzslj.fsf@cs.uga.edu> User-Agent: Gnus/5.090014 (Oort Gnus v0.14) Emacs/21.2 (i386-debian-linux-gnu) References: <20030405060347.GA2823@iliana> <200304052106.XAA05780@pauillac.inria.fr> <20030406172038.GA12694@ontosoft.com> <20030407092308Q.garrigue@kurims.kyoto-u.ac.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam: no; 0.00; caml-list:01 shrinking:01 jacques:01 isps:99 jkb:99 howto:01 kernel:01 garrigue:01 writes:01 trivial:01 pgp:02 modules:02 loaded:04 host:93 kurims:06 X-Spam: no; 0.00; caml-list:01 shrinking:01 jacques:01 isps:99 jkb:99 howto:01 kernel:01 garrigue:01 writes:01 trivial:01 pgp:02 modules:02 loaded:04 host:93 kurims:06 Sender: owner-caml-list@pauillac.inria.fr Precedence: bulk Jacques Garrigue writes: ... > The jail(8) facility in FreeBSD allows that: you may create a virtual > machine inside a server, which is completely isolated from everything > else inside the host machine. Some ISPs are using it to provide root > accounts. > Still, I expect that setting up a really secure virtual machine is far > from trivial: you get just the same problems as with a real machine. FreeBSD goes a long way, though, toward "real" security. Another big help is the kernel securelevels feature: http://people.freebsd.org/~jkb/howto.html#sl With this feature, you can get a server in a state where no modules may be loaded into the kernel and certain parts of the file system are not writable at all -- having root isn't enough. If you can trust the kernel and some files to be secure, then you have a pretty good foundation for the other steps you take. -- --Ed L Cashin | PGP public key: ecashin@uga.edu | http://noserose.net/e/pgp/ ------------------- To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/ Beginner's list: http://groups.yahoo.com/group/ocaml_beginners