Security: Best practices, apparmor, -L, -R, -U
Phooraalai
phooraalai at googlemail.com
Tue Jan 7 20:17:58 CET 2014
Hello Guus,
>> -L
>> I put EXTRA="-L" in /etc/default/tinc and tinc still works.
>
> Note that if you use -L and -U together, then it might be that the maximum
> amount of memory that tinc can use is too limited. You can change this by
> adding this line to /etc/default/tinc:
>
> ulimit -l 1024
>
> (See the manpage of dash to find out more about the ulimit command.)
Good point, thanks. "ulimit -l 1024" will limit to 1MB of RAM. Will that
be enough memory for the process ?
>
>> -R
>> Do I have to put libraries and device files under /etc/tinc/NETNAME to
>> build a functional chroot jail ?
>
> No, tinc loads the libraries it depends on, opens the tun/tap device and runs
> tinc-up before it chroots itself. However, if you have any other scripts that
> you want tinc to run, then you have to make sure everything necessary for those
> scripts is in the chroot environment.
I do have a tinc-down in which I use iptables to delete an iptables
chain which I have created in tinc-up. So I will need everything that is
a dependency for programs called in tinc-down. However I could proably
do without tinc-down. I will try that out. Thanks.
>
>> -U
>> Can I use user nobody or shall I better use an extra tincvpn user ?
>> Right now tinc is running as root
>
> Having an extra tincvpn user is safer.
The tincvpn user will need the correct ownership and permissions for
/etc/tinc and its subdirectories ? Correct ? Anything else where that
user needs to read and/or write ?
There is no apparmor profile somewhere ? I ask Google and the result did
not smile happily at me and provided an instantaneous solution ;)
BR
P.
More information about the tinc
mailing list