Security: Best practices, apparmor, -L, -R, -U

Guus Sliepen guus at tinc-vpn.org
Tue Jan 7 17:10:51 CET 2014


On Tue, Jan 07, 2014 at 03:30:53PM +0100, Phooraalai wrote:

> I would now like to secure my tinc installation. From the man page I see
> the following.
> 
> -L
> I put EXTRA="-L" in /etc/default/tinc and tinc still works.

Note that if you use -L and -U together, then it might be that the maximum
amount of memory that tinc can use is too limited. You can change this by
adding this line to /etc/default/tinc:

ulimit -l 1024

(See the manpage of dash to find out more about the ulimit command.)

> -R
> Do I have to put libraries and device files under /etc/tinc/NETNAME to
> build a functional chroot jail ?

No, tinc loads the libraries it depends on, opens the tun/tap device and runs
tinc-up before it chroots itself. However, if you have any other scripts that
you want tinc to run, then you have to make sure everything necessary for those
scripts is in the chroot environment.

> -U
> Can I use user nobody or shall I better use an extra tincvpn user ?
> Right now tinc is running as root

Having an extra tincvpn user is safer.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140107/3f3fe091/attachment.sig>


More information about the tinc mailing list