Borg <resis...@is.futile> writes:
> To build a Debian jail for INN2 I must know every single file, device
> file, and directory to which INN needs access so that I may whitelist
> them and blacklist all others. The end goal is to build a restricted
> sandbox that locks out all other directories and binaries so that remote
> compromise is rendered nigh impossible--then package it up with easy
> options to operate over a Tor hidden service. The end user/operator
> would just drop down the jail file and execute it then everything will
> be up and running, with a Tor hidden service, systemd profiles and
> services included.
This is unfortunately going to be really hard because INN is rather
sprawling, particularly if you include all of the optional configurations
and extra supported features.
Why not just make a container? I think a container based on a Debian
stable image with the inn2 package installed would accomplish roughly the
same thing. You'd have extra binaries in the container that INN
technically doesn't need, but I highly doubt that would introduce any new
security risks over all the stuff INN does need.
--
Russ Allbery (
ea...@eyrie.org) <
https://www.eyrie.org/~eagle/>
Please post questions rather than mailing me directly.
<
https://www.eyrie.org/~eagle/faqs/questions.html> explains why.