For example, in Debian woody it is around 40Mbs, try this:
$ size=0 $ for i in `grep -A 1 -B 1 "^Section: base" /var/lib/dpkg/available | grep -A 2 "^Priority: required" |grep "^Installed-Size" |cut -d : -f 2 `; do size=$(($size+$i)); done $ echo $size 34234
Many intrusions are just made to get access to resources to do ilegitimate activity (denial of service attacks, spam, rogue ftp servers, dns pollution...) rather than to just obtain confidential data from the compromised system.
You can make (on another system) a dummy package with
beware of the case here since spawn will not work
unless you use the instdir option when calling
but then the chroot jail might be a little more complex
You only probably need it if using NFS (Network FileSystem), NIS (Network Information System) or some other RPC-based service.
Unlike personal firewalls in other operating systems, Debian GNU/Linux does not
(yet) provide firewall generation interfaces that can make rules limiting them
per process or user. However, the iptables code can be configured to do this
(see the owner module in the
There are over 28 capabilities including: CAP_BSET, CAP_CHOWN, CAP_FOWNER, CAP_FSETID, CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, CAP_SYS_RESOURCE, CAP_SYS_TIME, and CAP_SYS_TTY_CONFIG. All of them can be activated or de-activated in or to harden your kernel.
You do not need to install
lcap to do this but it's easier than
/proc/sys/kernel/cap-bound by hand.
Securing Debian Manual2.5 (beta) 29 augusti 2002Sat, 17 Aug 2002 12:23:36 +0200