Security: Best practices, apparmor, -L, -R, -U
Guus Sliepen
guus at tinc-vpn.org
Tue Jan 7 21:26:42 CET 2014
On Tue, Jan 07, 2014 at 08:17:58PM +0100, Phooraalai wrote:
> > Note that if you use -L and -U together, then it might be that the maximum
> > amount of memory that tinc can use is too limited. You can change this by
> > adding this line to /etc/default/tinc:
> >
> > ulimit -l 1024
>
> Good point, thanks. "ulimit -l 1024" will limit to 1MB of RAM. Will that
> be enough memory for the process ?
Ehm, no that will surely not be enough. 50 MB should be more than enough
though.
> >> -U
>
> The tincvpn user will need the correct ownership and permissions for
> /etc/tinc and its subdirectories ? Correct ? Anything else where that
> user needs to read and/or write ?
It just needs to be able to read /etc/tinc and subdirectories. After dropping
privileges, tinc 1.0.x never opens a file for writing.
> There is no apparmor profile somewhere ? I ask Google and the result did
> not smile happily at me and provided an instantaneous solution ;)
Perhaps someone else on the list has made a profile for tinc, but I do not know
of any. However, if you run tinc chrooted as user tincvpn, and nothing in the
chroot is writable for that user, then there is not very much that AppArmor
would add.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140107/89303fb8/attachment.sig>
More information about the tinc
mailing list