File: 99_appendix.po

package info (click to toggle)
harden-doc 3.19%2Bnmu1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, sid
  • size: 15,332 kB
  • sloc: xml: 11,790; sh: 52; makefile: 16
file content (2694 lines) | stat: -rw-r--r-- 146,096 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
msgid ""
msgstr ""
"Project-Id-Version: harden-doc 3.19\n"
"Report-Msgid-Bugs-To: <debian-i18n@lists.debian.org>\n"
"POT-Creation-Date: 2018-04-29 00:18+0200\n"
"PO-Revision-Date: 2018-04-29 08:23+0200\n"
"Last-Translator: Philipe Gaspar <philipegaspar@gmail.com>\n"
"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian.org>\n"
"Language: pt_BR\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

msgid "Appendix"
msgstr ""

msgid "The hardening process step by step"
msgstr "Passo-a-passo do processo de fortalecimento"

msgid "Below is a post-installation, step-by-step procedure for hardening a Debian 2.2 GNU/Linux system. This is one possible approach to such a procedure and is oriented toward the hardening of network services. It is included to show the entire process you might use during configuration. Also, see <xref linkend=\"checklist\" />."
msgstr "Abaixo está uma pós-instalação, um procedimento passo-a-passo para tornar no sistema Debian 2.2 GNU/Linux mais seguro. Esse procedimento é uma alternativa para tornar os serviços de redes mais seguros. Será mostrado o processo completo do que deve ser feito durante a configuração. Também, veja  <xref linkend=\"checklist\" />."

msgid "Install the system, taking into account the information regarding partitioning included earlier in this document. After base installation, go into custom install. Do not select task packages."
msgstr "Instale o sistema, levando em conta as informações sobre o particionamento que foi citada anteriormente neste documento. Depois da instalação básica, vá à instalação personalizada. Não selecione os pacotes de tarefa. Selecione senhas no formato shadow."

msgid "Using <command>dselect</command>, remove all unneeded but selected packages before doing [I]nstall. Keep the bare minimum of packages for the system."
msgstr "Usando <command>dselect</command>, exclua todos os pacotes desnecessários, exceto os selecionados, antes de proceder com o [I]nstall. Mantenha um número reduzido de pacotes para o sistema."

msgid "Update all software from the latest packages available at security.debian.org as explained previously in <xref linkend=\"security-update\" />."
msgstr "Atualize todos os softwares para a última versão disponível dos pacotes em security.debian.org como explicado anteriormente em <xref linkend=\"security-update\" />."

msgid "Implement the suggestions presented in this manual regarding user quotas, login definitions and <command>lilo</command>"
msgstr "Implementar as sugestões apresentadas neste manual com relação às cotas de usuários, definições de login e <command>lilo</command>"

msgid "Make a list of services currently running on your system. Try:"
msgstr "Fazer uma lista de serviços que estão rodando no seu sistema. Tente:"

msgid ""
"\n"
"  $ ps aux\n"
"  $ netstat -pn -l -A inet \n"
"  # /usr/sbin/lsof -i | grep LISTEN"
msgstr ""
"\n"
"  $ ps -aux\n"
"  $ netstat -pn -l -A inet \n"
"  # /usr/sbin/lsof -i | grep LISTEN"

msgid "You will need to install <package>lsof-2.2</package> for the third command to work (run it as root). You should be aware that <command>lsof</command> can translate the word LISTEN to your locale settings."
msgstr "Você precisará instalar o <package>lsof-2.2</package> para o terceiro comando acima funcionar (execute como super-usuário). Você deve estar ciente de que o <command>lsof</command> pode traduzir a palavra LISTEN para suas configurações de localização."

msgid "In order to remove unnecessary services, first determine what package provides the service and how it is started. This can be accomplished by checking the program that listens in the socket. The following shell script, which uses the programs <command>lsof</command> and <command>dpkg</command>, does just that:"
msgstr "Para excluir serviços desnecessários, primeiro determine qual pacote fornece o serviço e como ele é inicializado. Isto pode ser feito verificando os programas que escutam no soquete. O shell script abaixo, que utiliza os programas <command>lsof</command> e <command>dpkg</command>, faz isso:"

msgid ""
"\n"
"#!/bin/sh\n"
"# FIXME: this is quick and dirty; replace with a more robust script snippet\n"
"for i in `sudo lsof -i | grep LISTEN | cut -d \" \" -f 1 |sort -u` ; do\n"
"  pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq`\n"
"  echo \"Service $i is installed by $pack\";\n"
"  init=`dpkg -L $pack |grep init.d/ `\n"
"  if [ ! -z \"$init\" ]; then\n"
"    echo \"and is run by $init\"\n"
"  fi\n"
"done"
msgstr ""
"\n"
"  #!/bin/sh\n"
"  # FIXME: this is quick and dirty; replace with a more robust script snippet\n"
"  for i in `sudo lsof -i | grep LISTEN | cut -d \" \" -f 1 |sort -u` ; do\n"
"\t  pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq`\n"
"\t  echo \"Service $i is installed by $pack\";\n"
"\t  init=`dpkg -L $pack |grep init.d/ `\n"
"\t  if [ ! -z \"$init\" ]; then\n"
"\t\t   echo \"and is run by $init\"\n"
"\t  fi\n"
"  done"

msgid "Once you find any unwanted services, remove the associated package (with <command>dpkg --purge</command>), or disable the service from starting automatically at boot time using <command>update-rc.d</command> (see <xref linkend=\"disableserv\" />)."
msgstr "Se você encontrar algum serviço desnecessário, exclua o pacote associado (com <command>dpkg --purge</command>), ou desabilite a inicialização automática durante a fase de boot usando o comando <command>update-rc.d</command> (veja <xref linkend=\"disableserv\" />)."

msgid "For inetd services (launched by the superdaemon), check which services are enabled in <filename>/etc/inetd.conf</filename> using:"
msgstr "Para os serviços inetd (iniciados pelo superdaemon), verifique quais serviços estão ativados em <filename>/etc/inetd.conf</filename> através de:"

msgid "\n"
"  $ grep -v \"^#\" /etc/inetd.conf | sort -u"
msgstr "\n"
"  $ grep -v \"^#\" /etc/inetd.conf | sort -u"

msgid "Then disable those services that are not needed by commenting out the line that includes them in <filename>/etc/inetd.conf</filename>, removing the package, or using <command>update-inetd</command>."
msgstr "Então desative estes serviços desnecessários comentando a linha referente em <filename>/etc/inetd.conf</filename>, excluindo o pacote ou utilizando o comando <command>update-inetd</command>."

msgid "If you have wrapped services (those using <command>/usr/sbin/tcpd</command>), check that the files <filename>/etc/hosts.allow</filename> and <filename>/etc/hosts.deny</filename> are configured according to your service policy."
msgstr "Se você utiliza serviços wrapped (aqueles que utilizam <command>/usr/sbin/tcpd</command>), verifique se os arquivos <filename>/etc/hosts.allow</filename> e <filename>/etc/hosts.deny</filename> são configurados de acordo com sua política de serviço."

msgid "If the server uses more than one external interface, depending on the service, you may want to limit the service to listen on a specific interface. For example, if you want internal FTP access only, make the FTP daemon listen only on your management interface, not on all interfaces (i.e, 0.0.0.0:21)."
msgstr "Se o servidor usa mais que uma interface externa, dependendo do seu serviço, você pode limitar o serviço para escutar em uma interface específica. Por exemplo, se você quiser somente acesso interno para o FTP, você deve configurar o daemon FTP para escutar somente na sua interface de gerência, não em todas interfaces (i.e, 0.0.0.0:21)."

msgid "Re-boot the machine, or switch to single user mode and then back to multiuser using the commands:"
msgstr "Reinicie o computador, ou troque o modo de single user para multiuser usando os comandos:"

msgid ""
"\n"
"  # init 1\n"
"  (....)\n"
"  # init 2"
msgstr ""
"\n"
"  $ init 1\n"
"  (....)\n"
"  $ init 2"

msgid "Check the services now available, and, if necessary, repeat the steps above."
msgstr "Então verifique agora os serviços que estão disponíveis, e se necessário, repita os passos acima."

msgid "Now install the needed services, if you have not done so already, and configure them properly."
msgstr "Agora instale os serviços necessários, se não tiver feito isso ainda, e os configure corretamente."

msgid "Use the following shell command to determine what user each available service is running as:"
msgstr "Use o comando shell abaixo para determinar com que usuário cada serviço disponível está sendo executado:"

msgid ""
"\n"
"  # for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d \" \" -f 1 |sort -u`; \\\n"
"  &gt; do user=`ps ef |grep $i |grep -v grep |cut -f 1 -d \" \"` ; \\\n"
"  &gt; echo \"Service $i is running as user $user\"; done"
msgstr ""
"\n"
"  $ for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d \" \" -f 1 |sort -u`; \\\n"
"  > do user=`ps -ef |grep $i |grep -v grep |cut -f 1 -d \" \"` ; \\\n"
"  > echo \"Service $i is running as user $user\"; done"

msgid "Consider changing these services to a specific user/group and maybe <command>chroot</command>'ing them for increased security. You can do this by changing the <filename>/etc/init.d</filename> scripts which start the service. Most services in Debian use <command>start-stop-daemon</command>, which has options (<literal>--change-uid</literal> and <literal>--chroot</literal>) for accomplishing this. A word of warning regarding the <command>chroot</command>'ing of services: you may need to put all the files installed by the package (use dpkg -L) providing the service, as well as any packages it depends on, in the <command>chroot</command>'ed environment. Information about setting up a <command>chroot</command> environment for the <command>ssh</command> program can be found in <xref linkend=\"chroot-ssh-env\" />."
msgstr "Considere alterar esses serviços para um usuário/grupo específico e talvez até enjaulá-los (<command>chroot</command>'ing) para aumentar nível de segurança. Você pode fazer isto alterando os scripts de inicialização em <filename>/etc/init.d</filename>. A maioria dos serviços no Debian usa o <command>start-stop-daemon</command> com as opções (<literal>--change-uid</literal> e <literal>--chroot</literal>) para fazer isso. Uma observação com relação ao enjaulamento (<command>chroot</command>'ing) dos serviços: você precisa colocar todos os arquivos instalados pelo pacote (use dpkg -L) que fornece o serviço, assim como qualquer pacote dependente, na jaula <command>chroot</command>. Informações sobre a configuração de um ambiente <command>chroot</command> para o programa <command>ssh</command> podem ser encontrada em <xref linkend=\"chroot-ssh-env\" />."

msgid "Repeat the steps above in order to check that only desired services are running and that they are running as the desired user/group combination."
msgstr "Repita os passos acima para certificar que somente os serviços desejados estejam rodando e esteja sendo usada a combinação de usuário/grupo correta."

msgid "Test the installed services in order to see if they work as expected."
msgstr "Teste os serviços instalados para ver se estão funcionando corretamente."

msgid "Check the system using a vulnerability assessment scanner (like <package>nessus</package>), in order to determine vulnerabilities in the system (i.e., misconfiguration, old services or unneeded services)."
msgstr "Verifique o sistema usando um vulnerability assessment scanner (tipo o <package>nessus</package>), para determinar as vulnerabilidades no sistema (i.e., mal-configuração, serviços antigos e desnecessários)."

msgid "Install network and host intrusion measures like <package>snort</package> and <package>logcheck</package>."
msgstr "Instale ferramentas de detecção de intrusão de rede e host como <package>snort</package> e <package>logsentry</package>."

msgid "Repeat the network scanner step and verify that the intrusion detection systems are working correctly."
msgstr "Repita o passo de varredura da rede e verifique se os sistemas de detecção de intrusão estão funcionando corretamente."

msgid "For the truly paranoid, also consider the following:"
msgstr "Para paranóia real, também considere o seguinte:"

msgid "Add firewalling capabilities to the system, accepting incoming connections only to offered services and limiting outgoing connections only to those that are authorized."
msgstr "Adicione as capacidades de firewall do sistema, conexões de entrada só devem ser feitas para os serviços oferecidos e limite as conexões de saída somente para aqueles que são autorizados."

msgid "Re-check the installation with a new vulnerability assessment using a network scanner."
msgstr "Verifique novamente a instalação com uma nova vulnerability assessment usando um varredor de rede."

msgid "Using a network scanner, check outbound connections from the system to an outside host and verify that unwanted connections do not find their way out."
msgstr "Usando um varredor de rede, verifique as conexões de saídas do sistema para um host remoto e certifique-se que as conexões indesejadas sejam estabelecida."

msgid "FIXME: this procedure considers service hardening but not system hardening at the user level, include information regarding checking user permissions, SETUID files and freezing changes in the system using the ext2 file system."
msgstr "FIXME: este procedimento engloba o fortalecimento de serviços, mas não o fortalecimento a nível de usuário, incluindo informações sobre verificação de permissões de usuários, arquivos SETUID e congelamento de alterações no sistema utilizando o sistema de arquivo ext2."

msgid "Configuration checklist"
msgstr "Checklist de configuração"

msgid "This appendix briefly reiterates points from other sections in this manual in a condensed checklist format. This is intended as a quick summary for someone who has already read the manual. There are other good checklists available, including Kurt Seifried's <ulink name=\"Securing Linux Step by Step\" url=\"http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.html\" /> and <ulink name=\"CERT's Unix Security Checklist\" url=\"http://www.cert.org/tech_tips/usc20_full.html\" />."
msgstr "Este apêndice retrata resumidamente os pontos de outras seções neste manual em um checklist no formato. A idéia é disponibilizar um sumário para a pessoa que já leu o manual buscar uma informação rapidamente. Existem outros checklists bons disponíveis, incluindo o <ulink name=\"Securing Linux Step by Step\" url=\"http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.html\" /> de Kurt Seifried e <ulink url=\"http://www.cert.org/tech_tips/usc20_full.html\" name=\"CERT's Unix Security Checklist\" />."

msgid "FIXME: This is based on v1.4 of the manual and might need to be updated."
msgstr "FIXME: Isso é baseado na versão 1.4 do manual e talvez precise de atualização."

msgid "Limit physical access and booting capabilities"
msgstr "Limite o acesso físico e as capacidade de inicialização"

msgid "Enable a password in the BIOS."
msgstr ""

msgid "Disable floppy/cdrom/... booting in the system's BIOS."
msgstr ""

msgid "Set a LILO or GRUB password (<filename>/etc/lilo.conf</filename> or <filename>/boot/grub/menu.lst</filename>, respectively); check that the LILO or GRUB configuration file is read-protected."
msgstr "Configure uma senha para o LILO ou GRUB (<filename>/etc/lilo.conf</filename> ou <filename>/boot/grub/menu.lst</filename>, respectivamente); verifique se o arquivo de configuração do LILO ou GRUB está protegido contra gravação."

msgid "Partitioning"
msgstr "Particionamento"

msgid "Separate user-writable data, non-system data, and rapidly changing run-time data to their own partitions"
msgstr "Separe os dados de escrita do usuário, dados que não são do sistema, e dados que são trocados rapidamente em tempo de execução para suas próprias partições"

msgid "Set <literal>nosuid,noexec,nodev</literal> mount options in <filename>/etc/fstab</filename> on ext2/3 partitions that should not hold binaries such as <filename>/home</filename> or <filename>/tmp</filename>."
msgstr ""

msgid "Password hygiene and login security"
msgstr "Higiene de senhas e segurança no login"

msgid "Set a good root password"
msgstr "Configure uma senha segura para o super-usuário"

msgid "Install and use PAM"
msgstr "Instale e use o PAM"

msgid "Add MD5 support to PAM and make sure that (generally speaking) entries in <filename>/etc/pam.d/</filename> files which grant access to the machine have the second field in the pam.d file set to <literal>requisite</literal> or <literal>required</literal>."
msgstr "Adicione suporte MD5 para o PAM e tenha certeza que (falando de forma generalizada) as entradas nos arquivos em <filename>/etc/pam.d/</filename> que garantem acesso à máquina tenham o segundo campo configurado como <literal>requisite</literal> ou <literal>required</literal>."

msgid "Tweak <filename>/etc/pam.d/login</filename> so as to only permit local root logins."
msgstr "Modifique o <filename>/etc/pam.d/login</filename> para permite somente logins locais para o super-usuário."

msgid "Also mark authorized tty:s in <filename>/etc/security/access.conf</filename> and generally set up this file to limit root logins as much as possible."
msgstr "Também marque tty:s autorizado em <filename>/etc/security/access.conf</filename> e geralmente configure este arquivo para limitar ao máximo possível o login do super-usuário."

msgid "Add pam_limits.so if you want to set per-user limits"
msgstr "Adicione o módulo pam_limits.so se você deseja configurar os limites por usuários"

msgid "Tweak <filename>/etc/pam.d/passwd</filename>: set minimum length of passwords higher (6 characters maybe) and enable MD5"
msgstr "Modifique <filename>/etc/pam.d/passwd</filename>: configure o tamanho mínimo para as senhas (6 caracteres talvez) e ative o MD5"

msgid "Add group wheel to <filename>/etc/group</filename> if desired; add pam_wheel.so group=wheel entry to <filename>/etc/pam.d/su</filename>"
msgstr "Adicione o grupo wheel para <filename>/etc/group</filename> se desejar; adicione a entrada pam_wheel.so group=wheel para <filename>/etc/pam.d/su</filename>"

msgid "For custom per-user controls, use pam_listfile.so entries where appropriate"
msgstr "Para controles customizados por usuários, utilize o módulo pam_listfile.so"

msgid "Have an <filename>/etc/pam.d/other</filename> file and set it up with tight security"
msgstr "Tenha um arquivo <filename>/etc/pam.d/other</filename> e o configure com um grau de segurança reforçado"

msgid "Set up limits in <filename>/etc/security/limits.conf</filename> (note that <filename>/etc/limits</filename> is not used if you are using PAM)"
msgstr "Configure limites em <filename>/etc/security/limits.conf</filename> (note que <filename>/etc/limits</filename> não é usado se você já estiver usando o PAM)"

msgid "Tighten up <filename>/etc/login.defs</filename>; also, if you enabled MD5 and/or PAM, make sure you make the corresponding changes here, too"
msgstr "Aumente a segurança em <filename>/etc/login.defs</filename>; também, se você ativar o MD5 e/ou PAM, tenha certeza de fazer também as alterações correspondentes aqui, também"

msgid "Tighten up <filename>/etc/pam.d/login</filename>"
msgstr ""

msgid "Disable root ftp access in <filename>/etc/ftpusers</filename>"
msgstr "Desative o acesso ftp ao super-usuário em <filename>/etc/ftpusers</filename>"

msgid "Disable network root login; use <citerefentry><refentrytitle>su</refentrytitle> <manvolnum>1</manvolnum></citerefentry> or <citerefentry><refentrytitle>sudo</refentrytitle> <manvolnum>1</manvolnum></citerefentry>. (consider installing <package>sudo</package>)"
msgstr ""

msgid "Use PAM to enforce additional constraints on logins?"
msgstr "Usar o PAM para reforçar barreiras adicionais aos logins?"

msgid "Other local security issues"
msgstr "Outras questões de segurança local"

msgid "Kernel tweaks (see <xref linkend=\"kernel-conf\" />)"
msgstr "Modificações no kernel (veja <xref linkend=\"kernel-conf\" />)"

msgid "Kernel patches (see <xref linkend=\"kernel-patches\" />)"
msgstr "Patches no Kernel (veja <xref linkend=\"kernel-patches\" />)"

msgid "Tighten up log file permissions (<filename>/var/log/{last,fail}log</filename>, Apache logs)"
msgstr "Tighten up log file permissions (<filename>/var/log/{last,fail}log</filename>, Apache logs)"

msgid "Verify that SETUID checking is enabled in <filename>/etc/checksecurity.conf</filename>"
msgstr "Certifique-se que a verificação SETUID está ativada em <filename>/etc/checksecurity.conf</filename>"

msgid "Consider making some log files append-only and configuration files immutable using chattr (ext2/3 file systems only)"
msgstr "Considere configurar alguns arquivos de logs como somente append e os arquivo de configuração imutáveis, usando o comando chattr (somente para arquivos ext2)"

msgid "Set up file integrity (see <xref linkend=\"check-integ\" />). Install <package>debsums</package>"
msgstr "Configurar a integridade de arquivo (veja <xref linkend=\"check-integ\" />). Instale <package>debsums</package>"

msgid "Log everything to a local printer?"
msgstr "Efetuar o log de tudo em uma impressora local?"

msgid "Burn your configuration on a boot-able CD and boot off that?"
msgstr "Gravar suas configurações em um CD inicializável e boof off?"

msgid "Disable kernel modules?"
msgstr "Desativar os módulos do kernel?"

msgid "Limit network access"
msgstr "Limitar acesso a rede"

msgid "Install and configure <command>ssh</command> (suggest PermitRootLogin No in <filename>/etc/ssh/sshd_config</filename>, PermitEmptyPasswords No; note other suggestions in text also)"
msgstr "Instale e configure <command>ssh</command> (sugiro PermitRootLogin No em <filename>/etc/ssh/sshd_config</filename>, PermitEmptyPasswords No; note outras sugestões também no texto)"

msgid "Disable or remove <command>in.telnetd</command>, if installed"
msgstr ""

msgid "Generally, disable gratuitous services in <filename>/etc/inetd.conf</filename> using <command>update-inetd --disable</command> (or disable <command>inetd</command> altogether, or use a replacement such as <command>xinetd</command> or <command>rlinetd</command>)"
msgstr "Geralmente, desative serviços desnecessários em <filename>/etc/inetd.conf</filename> usando o comando <command>update-inetd --disable</command> (ou desative <command>inetd</command> completamente, ou use o um substituto como <command>xinetd</command> ou <command>rlinetd</command>)"

msgid "Disable other gratuitous network services; ftp, DNS, WWW etc should not be running if you do not need them and monitor them regularly. In most cases mail should be running but configured for local delivery only."
msgstr ""

msgid "For those services which you do need, do not just use the most common programs, look for more secure versions shipped with Debian (or from other sources). Whatever you end up running, make sure you understand the risks."
msgstr "Para aqueles serviços que você precisa, não use os programas mais comuns, procure por versões mais seguras distribuídas com o Debian (ou de outras fontes). Seja lá o que você for parar de executar, tenha certeza que você entende os riscos."

msgid "Set up <command>chroot</command> jails for outside users and daemons."
msgstr "Configure jaula <command>chroot</command> para usuários externos e daemons."

msgid "Configure firewall and tcpwrappers (i.e. <citerefentry><refentrytitle>hosts_access</refentrytitle> <manvolnum>5</manvolnum></citerefentry>); note trick for <filename>/etc/hosts.deny</filename> in text."
msgstr ""

msgid "If you run ftp, set up your ftpd server to always run <command>chroot</command>'ed to the user's home directory"
msgstr "Se você executa o ftp, configure seu servidor ftpd sempre para executar enjaulado para o diretório home dos usuários"

msgid "If you run X, disable xhost authentication and go with <command>ssh</command> instead; better yet, disable remote X if you can (add -nolisten tcp to the X command line and turn off XDMCP in <filename>/etc/X11/xdm/xdm-config</filename> by setting the requestPort to 0)"
msgstr "Se você executa X, desative a autenticação xhost e use-o com <command>ssh</command>; melhor ainda, se puder desative o X (adicione -nolisten tcp para a linha de comando do X e desligue o XDMCP no <filename>/etc/X11/xdm/xdm-config</filename> configurando requestPort para 0)"

msgid "Disable remote access to printers"
msgstr "Desative acesso externo para as impressoras"

msgid "Tunnel any IMAP or POP sessions through SSL or <command>ssh</command>; install stunnel if you want to provide this service to remote mail users"
msgstr "Use tunelamento para qualquer sessão IMAP ou POP através do SSL ou <command>ssh</command>; instale stuneel se você quer fornecer este serviços para usuários de mail externos"

msgid "Set up a log host and configure other machines to send logs to this host (<filename>/etc/syslog.conf</filename>)"
msgstr "Configure um host de log e configure as outras máquinas para enviar logs para esse host (<filename>/etc/syslog.conf</filename>)"

msgid "Secure BIND, Sendmail, and other complex daemons (run in a <command>chroot</command> jail; run as a non-root pseudo-user)"
msgstr "Torne seguro o BIND, Sendmail, e outros daemons complexos (execute-os com uma jaula<command>chroot</command>; execute como um pseudo-usuário não root)"

msgid "Install tiger or a similar network intrusion detection tool."
msgstr ""

msgid "Install snort or a similar network intrusion detection tool.v"
msgstr ""

msgid "Do without NIS and RPC if you can (disable portmap)."
msgstr "Faça sem NIS ou RPC se puder (desative portmap)."

msgid "Policy issues"
msgstr "Políticas de segurança"

msgid "Educate users about the whys and hows of your policies. When you have prohibited something which is regularly available on other systems, provide documentation which explains how to accomplish similar results using other, more secure means."
msgstr "Eduque os usuários sobre os porquês e comos de suas políticas. Quando você proíbe algo que está disponível regularmente em outros sistemas, forneça uma documentação que explique como obter resultados similares através de outros meios mais seguros."

msgid "Prohibit use of protocols which use clear-text passwords (<command>telnet</command>, <command>rsh</command> and friends; ftp, imap, http, ...)."
msgstr "Proíba o uso de protocolos que utilizam senhas em texto plano (<command>telnet</command>, <command>rsh</command> e similares; ftp, imap, http, ...)."

msgid "Prohibit programs which use SVGAlib."
msgstr "Proíba programas que usam SVGAlib."

msgid "Use disk quotas."
msgstr "Use cotas de disco."

msgid "Keep informed about security issues"
msgstr "Mantenha-se informado sobre questões relacionadas à segurança"

msgid "Subscribe to security mailing lists"
msgstr "Inscreva-se em listas de discussão sobre segurança"

msgid "Configure <package>apt</package> for security updates -- add to <filename>/etc/apt/sources.list</filename> an entry (or entries) for http://security.debian.org/"
msgstr "Configure <package>apt</package> para atualização de segurança -- adicione no arquivo <filename>/etc/apt/sources.list</filename> uma entrada (ou entradas) para http://security.debian.org/debian-security"

msgid "Also remember to periodically run <command>apt-get update ; apt-get upgrade</command> (perhaps install as a <command>cron</command> job?) as explained in <xref linkend=\"security-update\" />."
msgstr "Também lembre-se de executar periodicamente os comandos <command>apt-get update ; apt-get upgrade</command> (talvez instalar como um job no <command>cron</command>?) como explicado em <xref linkend=\"security-update\" />."

msgid "Setting up a stand-alone IDS"
msgstr "Configurando um IDS stand-alone"

msgid "You can easily set up a dedicated Debian system as a stand-alone Intrusion Detection System using <package>snort</package> and a web-based interface to analyse the intrusion detection alerts:"
msgstr ""

msgid "Install a base Debian system and select no additional packages."
msgstr "Instale um sistema Debian base e não selecione nenhum pacote adicional."

msgid "Install one of the Snort versions with database support and configure the IDS to log alerts into the database."
msgstr ""

msgid "Download and install BASE (Basic Analysis and Security Engine), or ACID (Analysis Console for Intrusion Databases). Configure it to use the same database than Snort."
msgstr ""

msgid "Download and install the necessary packages<footnote><para>Typically the needed packages will be installed through the dependencies</para></footnote>."
msgstr ""

msgid "BASE is currently packaged for Debian in <package>acidbase</package> and ACID is packaged as <package>acidlab</package><footnote><para> It can also be downloaded from <ulink url=\"http://www.cert.org/kb/acid/\" />, <ulink url=\"http://acidlab.sourceforge.net\" /> or <ulink url=\"http://www.andrew.cmu.edu/~rdanyliw/snort/\" />. </para></footnote>. Both provide a graphical WWW interface to Snort's output."
msgstr ""

msgid "Besides the base installation you will also need a web server (such as <package>apache</package>), a <command>PHP</command> interpreter and a relational database (such <package>postgresql</package> or <package>mysql</package>) where Snort will store its alerts."
msgstr ""

msgid "This system should be set up with at least two interfaces: one interface connected to a management LAN (for accessing the results and maintaining the system), and one interface with no IP address attached to the network segment being analyzed. You should configure the web server to listen only on the interface connected to the management LAN."
msgstr "Este sistema deve ser configurado com pelo menos duas interfaces de rede; uma interface conectada ao gerenciamento da LAN (para acessar os resultados e suporte do sistema), e outra interface sem nenhum endereço IP anexada ao segmento de rede a ser analisado."

msgid "You should configure both interfaces in the standard Debian <filename>/etc/network/interfaces</filename> configuration file. One (the management LAN) address can be configured as you would normally do. The other interface needs to be configured so that it is started up when the system boots, but with no interface address. You can use the following interface definition:"
msgstr ""

msgid ""
"\n"
"auto eth0\n"
"iface eth0 inet manual\n"
"      up ifconfig $IFACE 0.0.0.0 up\n"
"      up ip link set $IFACE promisc on\n"
"      down ip link set $IFACE promisc off\n"
"      down ifconfig $IFACE down"
msgstr ""
"\n"
"auto eth0\n"
"iface eth0 inet manual\n"
"      up ifconfig $IFACE 0.0.0.0 up\n"
"      up ip link set $IFACE promisc on\n"
"      down ip link set $IFACE promisc off\n"
"      down ifconfig $IFACE down"

msgid "The above configures an interface to read all the traffic on the network in a <emphasis>stealth</emphasis>-type configuration. This prevents the NIDS system to be a direct target in a hostile network since the sensors have no IP address on the network. Notice, however, that there have been known bugs over time in sensors part of NIDS (for example see <ulink name=\"DSA-297\" url=\"http://www.debian.org/security/2003/dsa-297\" /> related to Snort) and remote buffer overflows might even be triggered by network packet processing."
msgstr ""

msgid "You might also want to read the <ulink name=\"Snort Statistics HOWTO\" url=\"http://www.faqs.org/docs/Linux-HOWTO/Snort-Statistics-HOWTO.html\" /> and the documentation available at the <ulink name=\"Snort official site\" url=\"http://www.snort.org/docs/\" />."
msgstr ""

msgid "Setting up a bridge firewall"
msgstr "Configurando uma ponte firewall"

msgid "This information was contributed by Francois Bayart in order to help users set up a Linux bridge/firewall with the 2.4.x kernel and <package>iptables</package>. Kernel patches are no more needed as the code was made standard part of the Linux kernel distribution."
msgstr "Esta informação foi contribuição de Francois Bayart para ajudar os usuário a configurar um Linux como ponte/firewall com o kernel 2.4.x e <package>iptables</package>. Patches do kernel não são mais necessários, uma vez que o código passou a fazer parte do kernel do Linux."

msgid "To configure the kernel with necessary support, run <literal>make menuconfig</literal> or <literal>make xconfig</literal>. In the section <emphasis>Networking options</emphasis>, enable the following options:"
msgstr "Para configurar o kernel com o suporte necessário, execute <literal>make menuconfig</literal> ou <literal>make xconfig</literal>. Na seção <emphasis>Networking options</emphasis>, ative as seguintes opções:"

msgid ""
"\n"
"[*] Network packet filtering (replaces ipchains)\n"
"[ ]   Network packet filtering debugging (NEW)\n"
"&lt;*&gt; 802.1d Ethernet Bridging\n"
"[*]   netfilter (firewalling) support (NEW)"
msgstr ""
"\n"
"[*] Network packet filtering (replaces ipchains)\n"
"[ ]   Network packet filtering debugging (NEW)\n"
"&lt;*&gt; 802.1d Ethernet Bridging\n"
"[*]   netfilter (firewalling) support (NEW)"

msgid "Caution: you must disable this if you want to apply some firewalling rules or else <command>iptables</command> will not work:"
msgstr "Cuidado: você deve desativar isso se você quiser aplicar algumas regras de firewall ou o <command>iptables</command> não funcionará:"

msgid "\n"
"[ ]   Network packet filtering debugging (NEW)"
msgstr "\n"
"[ ]   Network packet filtering debugging (NEW)"

msgid "Next, add the correct options in the section <emphasis>IP: Netfilter Configuration</emphasis>. Then, compile and install the kernel. If you want to do it the <emphasis>Debian way</emphasis>, install <package>kernel-package</package> and run <command>make-kpkg</command> to create a custom Debian kernel package you can install on your server using dpkg. Once the new kernel is compiled and installed, install the <package>bridge-utils</package> package."
msgstr "Próximo passo, adicione as opções corretas na seção <emphasis>IP: Netfilter Configuration</emphasis>. Então, compile e instale o kernel. Se você quiser fazer isso no <emphasis>jeito do Debian</emphasis>, instale o <package>kernel-package</package> e execute <command>make-kpkg</command> para criar um pacote Debian customizado do kernel que possa ser instalado no servidor usando o dpkg. Uma vez que o novo kernel é compilado e instalado, instale o pacote <package>bridge-utils</package>."

msgid "Once these steps are complete, you can complete the configuration of your bridge. The next section presents two different possible configurations for the bridge, each with a hypothetical network map and the necessary commands."
msgstr "Quando estes passos forem feitos, você pode completar a configuração de sua ponte. A próxima seção apresenta duas possíveis configurações para a ponte, cada uma com um mapa de rede hipotético e os comandos necessários."

msgid "A bridge providing NAT and firewall capabilities"
msgstr "Uma ponte fornecendo capacidades de NAT e firewall"

msgid "The first configuration uses the bridge as a firewall with network address translation (NAT) that protects a server and internal LAN clients. A diagram of the network configuration is shown below:"
msgstr "A primeira configuração usa a ponte como um firewall com tradução de endereços de rede (NAT) que protege o servidor e os clientes da rede interna. Um diagrama da configuração da rede é mostrado abaixo:"

msgid ""
"\n"
"Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)\n"
"                                          |\n"
"                                          |\n"
"                                          |---- WWW Server (62.3.3.27 gw 62.3.3.25)\n"
"                                          |\n"
"                                          |\n"
"                                         LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)"
msgstr ""
"\n"
"Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)\n"
"                                          |\n"
"                                          |\n"
"                                          |---- WWW Server (62.3.3.27 gw 62.3.3.25)\n"
"                                          |\n"
"                                          |\n"
"                                         LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)"

msgid "The following commands show how this bridge can be configured."
msgstr "Os seguintes comando mostram como esta ponte pode ser configurada."

msgid ""
"\n"
"# Create the interface br0\n"
"/usr/sbin/brctl addbr br0\n"
"\n"
"# Add the Ethernet interface to use with the bridge\n"
"/usr/sbin/brctl addif br0 eth0\n"
"/usr/sbin/brctl addif br0 eth1\n"
"\n"
"# Start up the Ethernet interface\n"
"/sbin/ifconfig eth0 0.0.0.0\n"
"/sbin/ifconfig eth1 0.0.0.0\n"
"\n"
"# Configure the bridge ethernet\n"
"# The bridge will be correct and invisible ( transparent firewall ).\n"
"# It's hidden in a traceroute and you keep your real gateway on the \n"
"# other computers. Now if you want you can config a gateway on your \n"
"# bridge and choose it as your new gateway for the other computers.\n"
"\n"
"/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31\n"
"\n"
"# I have added this internal IP to create my NAT \n"
"ip addr add 192.168.0.1/24 dev br0\n"
"/sbin/route add default gw 62.3.3.25"
msgstr ""
"\n"
"# Create the interface br0\n"
"/usr/sbin/brctl addbr br0\n"
"\n"
"# Add the Ethernet interface to use with the bridge\n"
"/usr/sbin/brctl addif br0 eth0\n"
"/usr/sbin/brctl addif br0 eth1\n"
"\n"
"# Start up the Ethernet interface\n"
"/sbin/ifconfig eth0 0.0.0.0\n"
"/sbin/ifconfig eth1 0.0.0.0\n"
"\n"
"# Configure the bridge ethernet\n"
"# The bridge will be correct and invisible ( transparent firewall ).\n"
"# It's hidden in a traceroute and you keep your real gateway on the \n"
"# other computers. Now if you want you can config a gateway on your \n"
"# bridge and choose it as your new gateway for the other computers.\n"
"\n"
"/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.32\n"
"\n"
"# I have added this internal IP to create my NAT \n"
"ip addr add 192.168.0.1/24 dev br0\n"
"/sbin/route add default gw 62.3.3.25"

msgid "A bridge providing firewall capabilities"
msgstr "Uma ponte fornecendo capacidades de firewall"

msgid "A second possible configuration is a system that is set up as a transparent firewall for a LAN with a public IP address space."
msgstr "Uma segunda possível configuração é um sistema que funciona como um firewall transparente para a LAN com um espaço de endereços IP públicos."

msgid ""
"\n"
"Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26)\n"
"                                        |\n"
"                                        |\n"
"                                        |---- WWW Server (62.3.3.28 gw 62.3.3.25)\n"
"                                        |\n"
"                                        |\n"
"                                        |---- Mail Server (62.3.3.27 gw 62.3.3.25)"
msgstr ""
"\n"
"Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26)\n"
"                                        |\n"
"                                        |\n"
"                                        |---- WWW Server (62.3.3.28 gw 62.3.3.25)\n"
"                                        |\n"
"                                        |\n"
"                                        |---- Mail Server (62.3.3.27 gw 62.3.3.25)"

msgid ""
"\n"
"# Create the interface br0\n"
"/usr/sbin/brctl addbr br0\n"
"\n"
"# Add the Ethernet interface to use with the bridge\n"
"/usr/sbin/brctl addif br0 eth0\n"
"/usr/sbin/brctl addif br0 eth1\n"
"\n"
"# Start up the Ethernet interface\n"
"/sbin/ifconfig eth0 0.0.0.0\n"
"/sbin/ifconfig eth1 0.0.0.0\n"
"\n"
"# Configure the bridge Ethernet\n"
"# The bridge will be correct and invisible ( transparent firewall ).\n"
"# It's hidden in a traceroute and you keep your real gateway on the \n"
"# other computers. Now if you want you can config a gateway on your\n"
"# bridge and choose it as your new gateway for the other computers.\n"
"\n"
"/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31"
msgstr ""
"\n"
"# Create the interface br0\n"
"/usr/sbin/brctl addbr br0\n"
"\n"
"# Add the Ethernet interface to use with the bridge\n"
"/usr/sbin/brctl addif br0 eth0\n"
"/usr/sbin/brctl addif br0 eth1\n"
"\n"
"# Start up the Ethernet interface\n"
"/sbin/ifconfig eth0 0.0.0.0\n"
"/sbin/ifconfig eth1 0.0.0.0\n"
"\n"
"# Configure the bridge Ethernet\n"
"# The bridge will be correct and invisible ( transparent firewall ).\n"
"# It's hidden in a traceroute and you keep your real gateway on the \n"
"# other computers. Now if you want you can config a gateway on your\n"
"# bridge and choose it as your new gateway for the other computers.\n"
"\n"
"/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.32"

msgid "If you traceroute the Linux Mail Server, you won't see the bridge. If you want access to the bridge with <command>ssh</command>, you must have a gateway or you must first connect to another server, such as the \"Mail Server\", and then connect to the bridge through the internal network card."
msgstr "Se você seguir as rotas para o Linux Mail Server, não enxergará a ponte. Se você quiser acessar a ponte com o <command>ssh</command>, você deve ter um gateway ou acessar um outro servidor, como o \"Mail Server\", e então conectar à ponte através de uma placa de rede interna."

msgid "Basic IPtables rules"
msgstr "Regras básicas do IPtables"

msgid "This is an example of the basic rules that could be used for either of these setups."
msgstr "As regras básicas a seguir podem ser usadas em qualquer uma das duas configurações mostradas acima."

msgid "Basic Iptables rules"
msgstr "Regras básicas do IPtables"

msgid ""
"\n"
"iptables -F FORWARD\n"
"iptables -P FORWARD DROP\n"
"iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP\n"
"iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Some funny rules but not in a classic Iptables sorry ...\n"
"# Limit ICMP \n"
"# iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT\n"
"# Match string, a good simple method to block some VIRUS very quickly\n"
"# iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string \"cmd.exe\"\n"
"\n"
"# Block all MySQL connection just to be sure\n"
"iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP\n"
"\n"
"# Linux Mail Server Rules\n"
"\n"
"# Allow FTP-DATA (20), FTP (21), SSH (22) \n"
"iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT\n"
"\n"
"# Allow the Mail Server to connect to the outside\n"
"# Note: This is *not* needed for the previous connections \n"
"# (remember: stateful filtering) and could be removed.\n"
"iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT\n"
"\n"
"# WWW Server Rules\n"
"\n"
"# Allow HTTP ( 80 ) connections with the WWW server\n"
"iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT\n"
"\n"
"# Allow HTTPS ( 443 ) connections with the WWW server\n"
"iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT\n"
"\n"
"# Allow the WWW server to go out\n"
"# Note: This is *not* needed for the previous connections \n"
"# (remember: stateful filtering) and could be removed.\n"
"iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT"
msgstr ""
"\n"
"  iptables -F FORWARD\n"
"  iptables -P FORWARD DROP\n"
"  iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP\n"
"  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"  # Some funny rules but not in a classic Iptables sorry ...\n"
"  # Limit ICMP \n"
"  # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT\n"
"  # Match string, a good simple method to block some VIRUS very quickly\n"
"  # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string \"cmd.exe\"\n"
"\n"
"  # Block all MySQL connection just to be sure\n"
"  iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP\n"
"\n"
"  # Linux Mail Server Rules\n"
"\n"
"  # Allow FTP-DATA ( 20 ) , FTP ( 21 ) , SSH ( 22 ) \n"
"  iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT\n"
"\n"
"  # Allow the Mail Server to connect to the outside\n"
"  # Note: This is *not* needed for the previous connections \n"
"  # (remember: stateful filtering) and could be removed.\n"
"  iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT\n"
"\n"
"  # WWW Server Rules\n"
"\n"
"  # Allow HTTP ( 80 ) connections with the WWW server\n"
"  iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT\n"
"\n"
"  # Allow HTTPS ( 443 ) connections with the WWW server\n"
"  iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT\n"
"\n"
"  # Allow the WWW server to go out\n"
"  # Note: This is *not* needed for the previous connections \n"
"  # (remember: stateful filtering) and could be removed.\n"
"  iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT"

msgid "Sample script to change the default Bind installation."
msgstr "Exemplo de script para alterar a instalação padrão do Bind."

msgid "This script automates the procedure for changing the <command>bind</command> version 8 name server's default installation so that it does <emphasis>not</emphasis> run as the superuser. Notice that <command>bind</command> version 9 in Debian already does this by default <footnote><para> Since version 9.2.1-5. That is, since Debian release <emphasis>sarge</emphasis>.</para></footnote> , and you are much better using that version than <command>bind</command> version 8."
msgstr ""

msgid "This script is here for historical purposes and to show how you can automate this kind of changes system-wide. The script will create the user and groups defined for the name server and will modify both <filename>/etc/default/bind</filename> and <filename>/etc/init.d/bind</filename> so that the program will run with that user. Use with extreme care since it has not been tested thoroughly."
msgstr ""

msgid "You can also create the users manually and use the patch available for the default init.d script attached to <ulink name=\"bug report #157245\" url=\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=157245\" />."
msgstr ""

msgid ""
"\n"
"  #!/bin/sh\n"
"  # Change the default Debian bind v8 configuration to have it run\n"
"  # with a non-root user and group.\n"
"  # \n"
"  # DO NOT USER this with version 9, use debconf for configure this instead\n"
"  #\n"
"  # WARN: This script has not been tested thoroughly, please\n"
"  # verify the changes made to the INITD script\n"
"\n"
"  # (c) 2002 Javier Fernandez-Sanguino Pena\n"
"  #\n"
"  #    This program is free software; you can redistribute it and/or modify\n"
"  #    it under the terms of the GNU General Public License as published by\n"
"  #    the Free Software Foundation; either version 1, or (at your option)\n"
"  #    any later version.\n"
"  #\n"
"  #    This program is distributed in the hope that it will be useful,\n"
"  #    but WITHOUT ANY WARRANTY; without even the implied warranty of\n"
"  #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n"
"  #    GNU General Public License for more details.\n"
"  #\n"
"  #     Please see the file `COPYING' for the complete copyright notice.\n"
"  #\n"
"\n"
"  restore() {\n"
"  # Just in case, restore the system if the changes fail\n"
"    echo \"WARN: Restoring to the previous setup since I'm unable to properly change it.\"\n"
"    echo \"WARN: Please check the $INITDERR script.\"\n"
"    mv $INITD $INITDERR\n"
"    cp $INITDBAK $INITD\n"
"  }\n"
"\n"
"\n"
"  USER=named\n"
"  GROUP=named\n"
"  INITD=/etc/init.d/bind\n"
"  DEFAULT=/etc/default/bind\n"
"  INITDBAK=$INITD.preuserchange\n"
"  INITDERR=$INITD.changeerror\n"
"  AWKS=\"awk ' /\\/usr\\/sbin\\/ndc reload/ { print \\\"stop; sleep 2; start;\\\"; noprint = 1; } /\\\\\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \\$0; } } '\"\n"
"\n"
"  [ `id -u` -ne 0 ] &amp;&amp; {\n"
"    echo \"This program must be run by the root user\"\n"
"    exit 1\n"
"  }\n"
"\n"
"  RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n"
"\n"
"  if [ \"$RUNUSER\" = \"$USER\" ] \n"
"  then\n"
"    echo \"WARN: The name server running daemon is already running as $USER\"\n"
"    echo \"ERR:  This script will not do any changes to your setup.\"\n"
"    exit 1\n"
"  fi\n"
"  if [ ! -f \"$INITD\" ]\n"
"  then\n"
"    echo \"ERR:  This system does not have $INITD (which this script tries to change)\"\n"
"    RUNNING=`ps eo fname |grep named`\n"
"    [ -z \"$RUNNING\" ] &amp;&amp; \\\n"
"      echo \"ERR:  In fact the name server daemon is not even running (is it installed?)\"\n"
"    echo \"ERR:  No changes will be made to your system\"\n"
"    exit 1\n"
"  fi\n"
"\n"
"  # Check if there are options already setup \n"
"  if [ -e \"$DEFAULT\" ]\n"
"  then\n"
"    if grep -q ^OPTIONS $DEFAULT; then\n"
"      echo \"ERR: The $DEFAULT file already has options set.\"\n"
"      echo \"ERR:  No changes will be made to your system\"\n"
"    fi\n"
"  fi\n"
"\n"
"  # Check if named group exists\n"
"  if [ -z \"`grep $GROUP /etc/group`\" ] \n"
"  then\n"
"    echo \"Creating group $GROUP:\"\n"
"    addgroup $GROUP\n"
"  else\n"
"    echo \"WARN: Group $GROUP already exists. Will not create it\"\n"
"  fi\n"
"  # Same for the user\n"
"  if [ -z \"`grep $USER /etc/passwd`\" ] \n"
"  then\n"
"    echo \"Creating user $USER:\"\n"
"    adduser --system --home /home/$USER \\\n"
"      --no-create-home --ingroup $GROUP \\\n"
"      --disabled-password --disabled-login $USER\n"
"  else\n"
"    echo \"WARN: The user $USER already exists. Will not create it\"\n"
"  fi\n"
"\n"
"  # Change the init.d script\n"
"\n"
"  # First make a backup (check that there is not already\n"
"  # one there first)\n"
"  if [ ! -f $INITDBAK ] \n"
"  then\n"
"    cp $INITD $INITDBAK\n"
"  fi\n"
"\n"
"  # Then use it to change it\n"
"  cat $INITDBAK |\n"
"  eval $AWKS &gt; $INITD\n"
"\n"
"  # Now put the options in the /etc/default/bind file:\n"
"  cat &gt;&gt;$DEFAULT &lt;&lt;EOF\n"
"# Make bind run with the user we defined\n"
"OPTIONS=\"-u $USER -g $GROUP\"\n"
"EOF\n"
"\n"
"  echo \"WARN: The script $INITD has been changed, trying to test the changes.\"\n"
"  echo \"Restarting the named daemon (check for errors here).\"\n"
"\n"
"  $INITD restart\n"
"  if [ $? -ne 0 ] \n"
"  then\n"
"    echo \"ERR:  Failed to restart the daemon.\"\n"
"    restore\n"
"    exit 1\n"
"  fi\n"
"\n"
"  RUNNING=`ps eo fname |grep named`\n"
"  if [ -z \"$RUNNING\" ] \n"
"  then\n"
"    echo \"ERR:  Named is not running, probably due to a problem with the changes.\"\n"
"    restore\n"
"    exit 1\n"
"  fi\n"
"\n"
"  # Check if it's running as expected\n"
"  RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n"
"\n"
"  if [ \"$RUNUSER\" = \"$USER\" ] \n"
"  then\n"
"    echo \"All has gone well, named seems to be running now as $USER.\"\n"
"  else\n"
"    echo \"ERR:  The script failed to automatically change the system.\"\n"
"    echo \"ERR:  Named is currently running as $RUNUSER.\"\n"
"    restore\n"
"    exit 1\n"
"  fi\n"
"\n"
"  exit 0"
msgstr ""
"\n"
"  #!/bin/sh\n"
"  # Change the default Debian bind configuration to have it run\n"
"  # with a non-root user and group.\n"
"  #\n"
"  # WARN: This script has not been tested thoroughly, please\n"
"  # verify the changes made to the INITD script\n"
"\n"
"  # (c) 2002 Javier Fernandez-Sanguino Peña\n"
"  #\n"
"  #    This program is free software; you can redistribute it and/or modify\n"
"  #    it under the terms of the GNU General Public License as published by\n"
"  #    the Free Software Foundation; either version 1, or (at your option)\n"
"  #    any later version.\n"
"  #\n"
"  #    This program is distributed in the hope that it will be useful,\n"
"  #    but WITHOUT ANY WARRANTY; without even the implied warranty of\n"
"  #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n"
"  #    GNU General Public License for more details.\n"
"  #\n"
"  #     Please see the file `COPYING' for the complete copyright notice.\n"
"  #\n"
"\n"
"  restore() {\n"
"  # Just in case, restore the system if the changes fail\n"
"\t  echo \"WARN: Restoring to the previous setup since I'm unable to properly change it.\"\n"
"\t  echo \"WARN: Please check the $INITDERR script.\"\n"
"\t  mv $INITD $INITDERR\n"
"\t  cp $INITDBAK $INITD\n"
"  }\n"
"\n"
"\n"
"  USER=named\n"
"  GROUP=named\n"
"  INITD=/etc/init.d/bind\n"
"  INITDBAK=$INITD.preuserchange\n"
"  INITDERR=$INITD.changeerror\n"
"  START=\"start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g $GROUP -u $USER\"\n"
"  AWKS=\"awk ' /start-stop-daemon --start/ { print \\\"$START\\\"; noprint = 1; }; /\\/usr\\/sbin\\/ndc reload/ { print \\\"stop; sleep 2; start;\\\"; noprint = 1; } /\\\\\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \\$0; } } '\"\n"
"\n"
"  [ `id -u` -ne 0 ] &amp;&amp; {\n"
"\t  echo \"This program must be run by the root user\"\n"
"\t  exit 1\n"
"  }\n"
"\n"
"  RUNUSER=`ps -eo user,fname |grep named |cut -f 1 -d \" \"`\n"
"\n"
"  if [ \"$RUNUSER\" = \"$USER\" ] \n"
"  then\n"
"\t  echo \"WARN: The name server running daemon is already running as $USER\"\n"
"\t  echo \"ERR:  This script will not many any changes to your setup.\"\n"
"\t  exit 1\n"
"  fi\n"
"  if [ ! -f $INITD ]\n"
"  then\n"
"\t  echo \"ERR:  This system does not have $INITD (which this script tries to change)\"\n"
"\t  RUNNING=`ps -eo fname |grep named`\n"
"\t   [ -z \"$RUNNING\" ] &amp;&amp; \\\n"
"\t      echo \"ERR:  In fact the name server daemon is not even running (is it installed?)\"\n"
"\t   echo \"ERR:  No changes will be made to your system\"\n"
"\t  exit 1\n"
"  fi\n"
"\n"
"  # Check if named group exists\n"
"  if [ -z \"`grep $GROUP /etc/group`\" ] \n"
"  then\n"
"\t  echo \"Creating group $GROUP:\"\n"
"\t  addgroup $GROUP\n"
"  else\n"
"\t  echo \"WARN: Group $GROUP already exists. Will not create it\"\n"
"  fi\n"
"  # Same for the user\n"
"  if [ -z \"`grep $USER /etc/passwd`\" ] \n"
"  then\n"
"\t  echo \"Creating user $USER:\"\n"
"\t  adduser --system --home /home/$USER \\\n"
"\t  --no-create-home --ingroup $GROUP \\\n"
"\t  --disabled-password --disabled-login $USER\n"
"  else\n"
"\t  echo \"WARN: The user $USER already exists. Will not create it\"\n"
"  fi\n"
"\n"
"  # Change the init.d script\n"
"\n"
"  # First make a backup (check that there is not already\n"
"  # one there first)\n"
"  if [ ! -f $INITDBAK ] \n"
"  then\n"
"\t  cp $INITD $INITDBAK\n"
"  fi\n"
"\n"
"  # Then use it to change it\n"
"  cat $INITDBAK |\n"
"  eval $AWKS > $INITD\n"
"\n"
"  echo \"WARN: The script $INITD has been changed, trying to test the changes.\"\n"
"  echo \"Restarting the named daemon (check for errors here).\"\n"
"\n"
"  $INITD restart\n"
"  if [ $? -ne 0 ] \n"
"  then\n"
"\t  echo \"ERR:  Failed to restart the daemon.\"\n"
"\t  restore\n"
"\t  exit 1\n"
"  fi\n"
"\n"
"  RUNNING=`ps -eo fname |grep named`\n"
"  if [ -z \"$RUNNING\" ] \n"
"  then\n"
"\t  echo \"ERR:  Named is not running, probably due to a problem with the changes.\"\n"
"\t  restore\n"
"\t  exit 1\n"
"  fi\n"
"\n"
"  # Check if it's running as expected\n"
"  RUNUSER=`ps -eo user,fname |grep named |cut -f 1 -d \" \"`\n"
"\n"
"  if [ \"$RUNUSER\" = \"$USER\" ] \n"
"  then\n"
"\t  echo \"All has gone well, named seems to be running now as $USER.\"\n"
"  else\n"
"\t  echo \"ERR:  The script failed to automatically change the system.\"\n"
"\t  echo \"ERR:  Named is currently running as $RUNUSER.\"\n"
"\t  restore\n"
"\t  exit 1\n"
"  fi\n"
"\n"
"  exit 0"

msgid "The previous script, run on Woody's (Debian 3.0) custom <command>bind</command> (version 8), will modify the initd file after creating the 'named' user and group and will"
msgstr "O script anterior, execute-o no <command>bind</command> customizado do Woody (Debian 3.0), irá produzir o arquivo initd abaixo depois de criar o usuário e grupo 'named':"

msgid "Security update protected by a firewall"
msgstr "Atualização de segurança protegida por um firewall"

msgid "After a standard installation, a system may still have some security vulnerabilities. Unless you can download updates for the vulnerable packages on another system (or you have mirrored security.debian.org for local use), the system will have to be connected to the Internet for the downloads."
msgstr "Depois de uma instalaçõa padrão, o sistema ainda poderá ter algumas vulnerabilidades de segurança. Ao menos que você baixe as atualizações para os pacotes vulneráveis em outro computador (ou você tenha espelhado security.debian.org para uso local), o sistema deverá ter acesso à Internet para os downloads."

msgid "However, as soon as you connect to the Internet you are exposing this system. If one of your local services is vulnerable, you might be compromised even before the update is finished! This may seem paranoid but, in fact, analysis from the <ulink name=\"Honeynet Project\" url=\"http://www.honeynet.org\" /> has shown that systems can be compromised in less than three days, even if the system is not publicly known (i.e., not published in DNS records)."
msgstr "Entretanto, na medida que você se conecta à Internet estará expondo seu sistema. Se um de seus serviços locais estiver vulnerável, poderá ser comprometido mesmo antes de finalizar as atualizações! Isso pode ser paranóico, mas as análises do <ulink name=\"Projeto Honeynet\" url=\"http://www.honeynet.org\" /> têm mostrado que sistemas podem ser comprometidos em menos de três dias, mesmo que o sistema não seja conhecido publicamento (i.e., não está publicado nos registros DNS)."

msgid "When doing an update on a system not protected by an external system like a firewall, it is possible to properly configure your local firewall to restrict connections involving only the security update itself. The example below shows how to set up such local firewall capabilities, which allow connections from security.debian.org only, logging all others."
msgstr "Quando estiver fazendo uma atualização em um sistema não protegido por um mecanismo externo como firewall, é possível configurar seu firewall local para restringir conexões envolvendo somente as próprias atualizações de segurança. O exemplo abaixo mostra como configurar estas capacidades de firewall, que permitem somente conexões do security.debian.org, registrando todas as outras que são negadas."

msgid "The following example can be use to setup a restricted firewall ruleset. Run this commands from a local console (not a remote one) to reduce the chances of locking yourself out of the system."
msgstr ""

msgid ""
"\n"
"  # iptables -F\n"
"  # iptables -L\n"
"  Chain INPUT (policy ACCEPT)\n"
"  target     prot opt source               destination\n"
"\n"
"  Chain FORWARD (policy ACCEPT)\n"
"  target     prot opt source               destination\n"
"\n"
"  Chain OUTPUT (policy ACCEPT)\n"
"  target     prot opt source               destination\n"
"  # iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT\n"
"  # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
"  # iptables -A INPUT -p icmp -j ACCEPT\n"
"  # iptables -A INPUT -j LOG\n"
"  # iptables -A OUTPUT -j LOG\n"
"  # iptables -P INPUT DROP\n"
"  # iptables -P FORWARD DROP\n"
"  # iptables -P OUTPUT DROP\n"
"  # iptables -L\n"
"  Chain INPUT (policy DROP)\n"
"  target     prot opt source               destination\n"
"  ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED\n"
"  ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0\n"
"  LOG        all  --  anywhere             anywhere           LOG level warning\n"
"\n"
"  Chain FORWARD (policy DROP)\n"
"  target     prot opt source               destination\n"
"\n"
"  Chain OUTPUT (policy DROP)\n"
"  target     prot opt source               destination\n"
"  ACCEPT     80   --  anywhere             security.debian.org\n"
"  LOG        all  --  anywhere             anywhere           LOG level warning"
msgstr ""
"\n"
"  # iptables -F\n"
"  # iptables -L\n"
"  Chain INPUT (policy ACCEPT)\n"
"  target     prot opt source               destination\n"
"\n"
"  Chain FORWARD (policy ACCEPT)\n"
"  target     prot opt source               destination\n"
"\n"
"  Chain OUTPUT (policy ACCEPT)\n"
"  target     prot opt source               destination\n"
"  # iptables -P INPUT DROP\n"
"  # iptables -P FORWARD DROP\n"
"  # iptables -P OUTPUT DROP\n"
"  # iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT\n"
"  # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
"  # iptables -A INPUT -p icmp -j ACCEPT\n"
"  # iptables -A INPUT -j LOG\n"
"  # iptables -A OUTPUT -j LOG\n"
"  # iptables -L\n"
"  Chain INPUT (policy DROP)\n"
"  target     prot opt source               destination\n"
"  ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED\n"
"  ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0\n"
"  LOG        all  --  anywhere             anywhere           LOG level warning\n"
"\n"
"  Chain FORWARD (policy DROP)\n"
"  target     prot opt source               destination\n"
"\n"
"  Chain OUTPUT (policy DROP)\n"
"  target     prot opt source               destination\n"
"  ACCEPT     80   --  anywhere             security.debian.org\n"
"  LOG        all  --  anywhere             anywhere           LOG level warning"

msgid "Note: Using a <emphasis>DROP</emphasis> policy in the INPUT chain is the most correct thing to do, but be <emphasis>very</emphasis> careful when doing this after flushing the chain from a remote connection. When testing firewall rulesets from a remote location it is best if you run a script with the firewall ruleset (instead of introducing the ruleset line by line through the command line) and, as a precaution, keep a backdoor<footnote><para>Such as <emphasis>knockd</emphasis>. Alternatively, you can open a different console and have the system ask for confirmation that there is somebody on the other side, and reset the firewall chain if no confirmation is given. The following test script could be of use: <programlisting> #!/bin/bash while true; do read -n 1 -p \"Are you there? \" -t 30 ayt if [ -z \"$ayt\" ] ; then break fi done # Reset the firewall chain, user is not available echo echo \"Resetting firewall chain!\" iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT exit 1 </programlisting></para></footnote>"
msgstr ""

msgid "Of course, you should disable any backdoors before getting the system into production. configured so that you can re-enable access to the system if you make a mistake. That way there would be no need to go to a remote location to fix a firewall ruleset that blocks you."
msgstr ""

msgid "FIXME: This needs DNS to be working properly since it is required for security.debian.org to work. You can add security.debian.org to /etc/hosts but now it is a CNAME to several hosts (there is more than one security mirror)"
msgstr "FIXME: This needs DNS to be working properly since it is required for security.debian.org to work. You can add security.debian.org to /etc/hosts but now it is a CNAME to several hosts (there is more than one security mirror)"

msgid "FIXME: this will only work with HTTP URLs since ftp might need the ip_conntrack_ftp module, or use passive mode."
msgstr "FIXME: this will only work with HTTP URLs since ftp might need the ip_conntrack_ftp module, or use passive mode."

msgid "Chroot environment for <application>SSH</application>"
msgstr ""

msgid "Creating a restricted environment for <application>SSH</application> is a tough job due to its dependencies and the fact that, unlike other servers, <application>SSH</application> provides a remote shell to users. Thus, you will also have to consider the applications users will be allowed to use in the environment."
msgstr ""

msgid "You have two options to setup a restricted remote shell:"
msgstr ""

msgid "Chrooting the ssh users, by properly configuring the ssh daemon you can ask it to chroot a user after authentication just before it is provided a shell. Each user can have their own environment."
msgstr ""

msgid "Chrooting the ssh server, since you chroot the ssh application itself all users are chrooted to the defined environment."
msgstr ""

msgid "The first option has the advantage of making it possible to have both non-chrooted and chrooted users, if you don't introduce any setuid application in the user's chroots it is more difficult to break out of it. However, you might need to setup individual chroots for each user and it is more difficult to setup (as it requires cooperation from the SSH server). The second option is more easy to setup, and protects from an exploitation of the ssh server itself (since it's also in the chroot) but it will have the limitation that all users will share the same chroot environment (you cannot setup a per-user chroot environment)."
msgstr ""

msgid "Chrooting the ssh users"
msgstr ""

msgid "You can setup the ssh server so that it will chroot a set of defined users into a shell with a limited set of applications available."
msgstr ""

msgid "Using <package>libpam-chroot</package>"
msgstr ""

msgid "Probably the easiest way is to use the <package>libpam-chroot</package> package provided in Debian. Once you install it you need to:"
msgstr ""

msgid "Modify <filename>/etc/pam.d/ssh</filename> to use this PAM module, add as its last line<footnote><para>You can use the <emphasis>debug</emphasis> option to have it send the progress of the module to the <emphasis>authpriv.notice</emphasis> facility</para></footnote>:"
msgstr ""

msgid "\n"
"session    required   pam_chroot.so"
msgstr "\n"
"session    required   pam_chroot.so"

msgid "set a proper chroot environment for the user. You can try using the scripts available at <filename>/usr/share/doc/libpam-chroot/examples/</filename>, use the <package>makejail</package> <footnote><para>You can create a very limited bash environment with the following python definition for makejail, just create the directory <filename>/var/chroots/users/foo</filename> and a file with the following contents and call it <filename>bash.py</filename>: <screen> chroot=\"/var/chroots/users/foo\" cleanJailFirst=1 testCommandsInsideJail=[\"bash ls\"] </screen> And then run <emphasis>makejail bash.py</emphasis> to create the user environment at <filename>/var/chroots/users/foo</filename>. To test the environment run: <screen> # chroot /var/chroots/users/foo/ ls bin dev etc lib proc sbin usr </screen> </para></footnote> program or setup a minimum Debian environment with <package>debootstrap</package>. Make sure the environment includes the needed devices <footnote><para>In some occasions you might need the <filename>/dev/ptmx</filename> and <filename>/dev/pty*</filename> devices and the <filename>/dev/pts/</filename> subdirectory. Running MAKEDEV in the <filename>/dev</filename> directory of the chrooted environment should be sufficient to create them if they do not exist. If you are using kernels (version 2.6) which dynamically create device files you will need to create the /dev/pts/ files yourself and grant them the proper privileges.</para></footnote>."
msgstr ""

msgid "Configure <filename>/etc/security/chroot.conf</filename> so that the users you determine are chrooted to the directory you setup previously. You might want to have independent directories for different users so that they will not be able to see neither the whole system nor each other's."
msgstr ""

msgid "Configure SSH: Depending on your OpenSSH version the chroot environment might work straight of the box or not. Since 3.6.1p2 the <emphasis>do_pam_session()</emphasis> function is called after sshd has dropped privileges, since chroot() needs root priviledges it will not work with Privilege separation on. In newer OpenSSH versions, however, the PAM code has been modified and do_pam_session is called before dropping priviledges so it will work even with Privilege separation is on. If you have to disable it modify <filename>/etc/ssh/sshd_config</filename> like this:"
msgstr ""

msgid "\n"
"UsePrivilegeSeparation no"
msgstr "\n"
"UsePrivilegeSeparation no"

msgid "Notice that this will lower the security of your system since the OpenSSH server will then run as <emphasis>root</emphasis> user. This means that if a remote attack is found against OpenSSH an attacker will get <emphasis>root</emphasis> privileges instead of <emphasis>sshd</emphasis>, thus compromising the whole system. <footnote><para> If you are using a kernel that implements Mandatory Access Control (RSBAC/SElinux) you can avoid changing this configuration just by granting the <emphasis>sshd</emphasis> user privileges to make the chroot() system call. </para></footnote>"
msgstr ""

msgid "If you don't disable <emphasis>Privilege Separation</emphasis> you will need an <filename>/etc/passwd</filename> which includes the user's UID inside the chroot for <emphasis>Privilege Separation</emphasis> to work properly."
msgstr ""

msgid "If you have <emphasis>Privilege Separation</emphasis> set to <emphasis>yes</emphasis> and your OpenSSH version does not behave properly you will need to disable it. If you don't, users that try to connect to your server and would be chrooted by this module will see this:"
msgstr ""

msgid ""
"\n"
"$ ssh -l user server\n"
"user@server's password:\n"
"Connection to server closed by remote host.\n"
"Connection to server closed."
msgstr ""

msgid "This is because the ssh daemon, which is running as 'sshd', is not be able to make the chroot() system call. To disable Privilege separation you have to modify the <filename>/etc/ssh/sshd_config</filename> configuration file as described above."
msgstr ""

msgid "Notice that if any of the following is missing the users will not be able to logon to the chroot:"
msgstr ""

msgid "The <filename>/proc</filename> filesystem needs to be mounted in the users' chroot."
msgstr ""

msgid "The necessary <filename>/dev/pts/</filename> devices need to exist. If the files are generated by your running kernel automatically then you have to manually create them on the chroot's <filename>/dev/</filename>."
msgstr ""

msgid "The user's home directory has to exist in the chroot, otherwise the ssh daemon will not continue."
msgstr ""

msgid "You can debug all these issues if you use the <emphasis>debug</emphasis> keyword in the <filename>/etc/pam.d/ssh</filename> PAM definition. If you encounter issues you might find it useful to enable the debugging mode on the ssh client too."
msgstr ""

msgid "Note: This information is also available (and maybe more up to date) in <filename>/usr/share/doc/libpam-chroot/README.Debian.gz</filename>, please review it for updated information before taking the above steps."
msgstr ""

msgid "Patching the <command>ssh</command> server"
msgstr ""

msgid "Debian's <command>sshd</command> does not allow restriction of a user's movement through the server, since it lacks the <command>chroot</command> function that the commercial program <command>sshd2</command> includes (using 'ChrootGroups' or 'ChrootUsers', see <citerefentry><refentrytitle>sshd2_config</refentrytitle> <manvolnum>5</manvolnum></citerefentry>). However, there is a patch available to add this functionality available from <ulink name=\"ChrootSSH project\" url=\"http://chrootssh.sourceforge.net\" /> (requested and available in <ulink name=\"Bug #139047\" url=\"http://bugs.debian.org/139047\" /> in Debian). The patch may be included in future releases of the OpenSSH package. Emmanuel Lacour has <command>ssh</command> deb packages for <emphasis>sarge</emphasis> with this feature. They are available at <ulink url=\"http://debian.home-dn.net/sarge/ssh/\" />. Notice that those might not be up to date so completing the compilation step is recommended."
msgstr ""

msgid "After applying the patch, modify <filename>/etc/passwd</filename> by changing the home path of the users (with the special <literal>/./</literal> token):"
msgstr ""

msgid "\n"
"  joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash"
msgstr "\n"
"  joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash"

msgid "This will restrict <emphasis>both</emphasis> remote shell access, as well as remote copy through the <command>ssh</command> channel."
msgstr "Isto irá restringir <emphasis>ambos</emphasis> o acesso remoto ao shell, como também a cópia remota através do canal <command>ssh</command>."

msgid "Make sure to have all the needed binaries and libraries in the <command>chroot</command>'ed path for users. These files should be owned by root to avoid tampering by the user (so as to exit the <command>chroot</command>'ed jailed). A sample might include:"
msgstr "Tenha certeza de ter todos os binários e bibliotecas necessárias dentro do caminho que está enjaulado para os usuários. Estes arquivos devem pertencer ao root para evitar tampering pelo usuário (como sair da jaula <command>chroot</command>'ed). Um exemplo possível inclue:"

msgid ""
"\n"
"./bin:\n"
"total 660\n"
"drwxr-xr-x    2 root     root         4096 Mar 18 13:36 .\n"
"drwxr-xr-x    8 guest    guest        4096 Mar 15 16:53 ..\n"
"-r-xr-xr-x    1 root     root       531160 Feb  6 22:36 bash\n"
"-r-xr-xr-x    1 root     root        43916 Nov 29 13:19 ls\n"
"-r-xr-xr-x    1 root     root        16684 Nov 29 13:19 mkdir\n"
"-rwxr-xr-x    1 root     root        23960 Mar 18 13:36 more\n"
"-r-xr-xr-x    1 root     root         9916 Jul 26  2001 pwd\n"
"-r-xr-xr-x    1 root     root        24780 Nov 29 13:19 rm\n"
"lrwxrwxrwx    1 root     root            4 Mar 30 16:29 sh -&gt; bash"
msgstr ""
"\n"
"./bin:\n"
"total 660\n"
"drwxr-xr-x    2 root     root         4096 Mar 18 13:36 .\n"
"drwxr-xr-x    8 guest    guest        4096 Mar 15 16:53 ..\n"
"-r-xr-xr-x    1 root     root       531160 Feb  6 22:36 bash\n"
"-r-xr-xr-x    1 root     root        43916 Nov 29 13:19 ls\n"
"-r-xr-xr-x    1 root     root        16684 Nov 29 13:19 mkdir\n"
"-rwxr-xr-x    1 root     root        23960 Mar 18 13:36 more\n"
"-r-xr-xr-x    1 root     root         9916 Jul 26  2001 pwd\n"
"-r-xr-xr-x    1 root     root        24780 Nov 29 13:19 rm\n"
"lrwxrwxrwx    1 root     root            4 Mar 30 16:29 sh -&gt; bash"

msgid ""
"\n"
"./etc:\n"
"total 24\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 16:13 .\n"
"drwxr-xr-x    8 guest    guest        4096 Mar 15 16:53 ..\n"
"-rw-r--r--    1 root     root           54 Mar 15 13:23 group\n"
"-rw-r--r--    1 root     root          428 Mar 15 15:56 hosts\n"
"-rw-r--r--    1 root     root           44 Mar 15 15:53 passwd\n"
"-rw-r--r--    1 root     root           52 Mar 15 13:23 shells"
msgstr ""
"\n"
"./etc:\n"
"total 24\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 16:13 .\n"
"drwxr-xr-x    8 guest    guest        4096 Mar 15 16:53 ..\n"
"-rw-r--r--    1 root     root           54 Mar 15 13:23 group\n"
"-rw-r--r--    1 root     root          428 Mar 15 15:56 hosts\n"
"-rw-r--r--    1 root     root           44 Mar 15 15:53 passwd\n"
"-rw-r--r--    1 root     root           52 Mar 15 13:23 shells"

msgid ""
"\n"
"./lib:\n"
"total 1848\n"
"drwxr-xr-x    2 root     root         4096 Mar 18 13:37 .\n"
"drwxr-xr-x    8 guest    guest        4096 Mar 15 16:53 ..\n"
"-rwxr-xr-x    1 root     root        92511 Mar 15 12:49 ld-linux.so.2\n"
"-rwxr-xr-x    1 root     root      1170812 Mar 15 12:49 libc.so.6\n"
"-rw-r--r--    1 root     root        20900 Mar 15 13:01 libcrypt.so.1\n"
"-rw-r--r--    1 root     root         9436 Mar 15 12:49 libdl.so.2\n"
"-rw-r--r--    1 root     root       248132 Mar 15 12:48 libncurses.so.5\n"
"-rw-r--r--    1 root     root        71332 Mar 15 13:00 libnsl.so.1\n"
"-rw-r--r--    1 root     root        34144 Mar 15 16:10\n"
"libnss_files.so.2\n"
"-rw-r--r--    1 root     root        29420 Mar 15 12:57 libpam.so.0\n"
"-rw-r--r--    1 root     root       105498 Mar 15 12:51 libpthread.so.0\n"
"-rw-r--r--    1 root     root        25596 Mar 15 12:51 librt.so.1\n"
"-rw-r--r--    1 root     root         7760 Mar 15 12:59 libutil.so.1\n"
"-rw-r--r--    1 root     root        24328 Mar 15 12:57 libwrap.so.0"
msgstr ""
"\n"
"./lib:\n"
"total 1848\n"
"drwxr-xr-x    2 root     root         4096 Mar 18 13:37 .\n"
"drwxr-xr-x    8 guest    guest        4096 Mar 15 16:53 ..\n"
"-rwxr-xr-x    1 root     root        92511 Mar 15 12:49 ld-linux.so.2\n"
"-rwxr-xr-x    1 root     root      1170812 Mar 15 12:49 libc.so.6\n"
"-rw-r--r--    1 root     root        20900 Mar 15 13:01 libcrypt.so.1\n"
"-rw-r--r--    1 root     root         9436 Mar 15 12:49 libdl.so.2\n"
"-rw-r--r--    1 root     root       248132 Mar 15 12:48 libncurses.so.5\n"
"-rw-r--r--    1 root     root        71332 Mar 15 13:00 libnsl.so.1\n"
"-rw-r--r--    1 root     root        34144 Mar 15 16:10\n"
"libnss_files.so.2\n"
"-rw-r--r--    1 root     root        29420 Mar 15 12:57 libpam.so.0\n"
"-rw-r--r--    1 root     root       105498 Mar 15 12:51 libpthread.so.0\n"
"-rw-r--r--    1 root     root        25596 Mar 15 12:51 librt.so.1\n"
"-rw-r--r--    1 root     root         7760 Mar 15 12:59 libutil.so.1\n"
"-rw-r--r--    1 root     root        24328 Mar 15 12:57 libwrap.so.0"

msgid ""
"\n"
"./usr:\n"
"total 16\n"
"drwxr-xr-x    4 root     root         4096 Mar 15 13:00 .\n"
"drwxr-xr-x    8 guest    guest        4096 Mar 15 16:53 ..\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 15:55 bin\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 15:37 lib"
msgstr ""
"\n"
"./usr:\n"
"total 16\n"
"drwxr-xr-x    4 root     root         4096 Mar 15 13:00 .\n"
"drwxr-xr-x    8 guest    guest        4096 Mar 15 16:53 ..\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 15:55 bin\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 15:37 lib"

msgid ""
"\n"
"./usr/bin:\n"
"total 340\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 15:55 .\n"
"drwxr-xr-x    4 root     root         4096 Mar 15 13:00 ..\n"
"-rwxr-xr-x    1 root     root        10332 Mar 15 15:55 env\n"
"-rwxr-xr-x    1 root     root        13052 Mar 15 13:13 id\n"
"-r-xr-xr-x    1 root     root        25432 Mar 15 12:40 scp\n"
"-rwxr-xr-x    1 root     root        43768 Mar 15 15:15 sftp\n"
"-r-sr-xr-x    1 root     root       218456 Mar 15 12:40 ssh\n"
"-rwxr-xr-x    1 root     root         9692 Mar 15 13:17 tty"
msgstr ""
"\n"
"./usr/bin:\n"
"total 340\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 15:55 .\n"
"drwxr-xr-x    4 root     root         4096 Mar 15 13:00 ..\n"
"-rwxr-xr-x    1 root     root        10332 Mar 15 15:55 env\n"
"-rwxr-xr-x    1 root     root        13052 Mar 15 13:13 id\n"
"-r-xr-xr-x    1 root     root        25432 Mar 15 12:40 scp\n"
"-rwxr-xr-x    1 root     root        43768 Mar 15 15:15 sftp\n"
"-r-sr-xr-x    1 root     root       218456 Mar 15 12:40 ssh\n"
"-rwxr-xr-x    1 root     root         9692 Mar 15 13:17 tty"

msgid ""
"\n"
"./usr/lib:\n"
"total 852\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 15:37 .\n"
"drwxr-xr-x    4 root     root         4096 Mar 15 13:00 ..\n"
"-rw-r--r--    1 root     root       771088 Mar 15 13:01\n"
"libcrypto.so.0.9.6\n"
"-rw-r--r--    1 root     root        54548 Mar 15 13:00 libz.so.1\n"
"-rwxr-xr-x    1 root     root        23096 Mar 15 15:37 sftp-server"
msgstr ""
"\n"
"./usr/lib:\n"
"total 852\n"
"drwxr-xr-x    2 root     root         4096 Mar 15 15:37 .\n"
"drwxr-xr-x    4 root     root         4096 Mar 15 13:00 ..\n"
"-rw-r--r--    1 root     root       771088 Mar 15 13:01\n"
"libcrypto.so.0.9.6\n"
"-rw-r--r--    1 root     root        54548 Mar 15 13:00 libz.so.1\n"
"-rwxr-xr-x    1 root     root        23096 Mar 15 15:37 sftp-server"

msgid "Chrooting the ssh server"
msgstr ""

msgid "If you create a chroot which includes the SSH server files in, for example <filename>/var/chroot/ssh</filename>, you would start the <command>ssh</command> server <command>chroot</command>'ed with this command:"
msgstr ""

msgid "\n"
"  # chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config"
msgstr "\n"
"  # chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config"

msgid "That would make startup the <command>sshd</command> daemon inside the chroot. In order to do that you have to first prepare the contents of the <filename>/var/chroot/ssh</filename> directory so that it includes both the SSH server and all the utilities that the users connecting to that server might need. If you are doing this you should make certain that OpenSSH uses <emphasis>Privilege Separation</emphasis> (which is the default) having the following line in the configuration file <filename>/etc/ssh/sshd_config</filename>:"
msgstr ""

msgid "\n"
"UsePrivilegeSeparation yes"
msgstr "\n"
"UsePrivilegeSeparation yes"

msgid "That way the remote daemon will do as few things as possible as the root user so even if there is a bug in it it will not compromise the chroot. Notice that, unlike the case in which you setup a per-user chroot, the ssh daemon is running in the same chroot as the users so there is at least one potential process running as root which could break out of the chroot."
msgstr ""

msgid "Notice, also, that in order for SSH to work in that location, the partition where the chroot directory resides cannot be mounted with the <emphasis>nodev</emphasis> option. If you use that option, then you will get the following error: <emphasis>PRNG is not seeded</emphasis>, because <filename>/dev/urandom</filename> does not work in the chroot."
msgstr ""

msgid "Setup a minimal system (the really easy way)"
msgstr ""

msgid "You can use <package>debootstrap</package> to setup a minimal environment that just includes the ssh server. In order to do this you just have to create a chroot as described in the <ulink name=\"chroot section of the Debian Reference\" url=\"http://www.debian.org/doc/manuals/reference/ch09#_chroot_system\" /> document. This method is bound to work (you will get all the necessary componentes for the chroot) but at the cost of disk space (a minimal installation of Debian will amount to several hundred megabytes). This minimal system might also include setuid files that a user in the chroot could use to break out of the chroot if any of those could be use for a privilege escalation."
msgstr ""

msgid "Automatically making the environment (the easy way)"
msgstr "Configurando automaticamente o ambiente (a maneira fácil)"

msgid "You can easily create a restricted environment with the <package>makejail</package> package, since it automatically takes care of tracing the server daemon (with <command>strace</command>), and makes it run under the restricted environment."
msgstr "Você pode facilmente criar um ambiente restrito com o pacote <package>makejail</package>, já que ele automaticamente segue as trilhas do servidor daemon (com <command>strace</command>) e faz com que ele execute em um ambiente restrito."

msgid "The advantage of programs that automatically generate <command>chroot</command> environments is that they are capable of copying any package to the <command>chroot</command> environment (even following the package's dependencies and making sure it's complete). Thus, providing user applications is easier."
msgstr "A vantagem de programas que automaticamente geram um ambiente <command>chroot</command> é que eles são capazes de copiar qualquer pacote para o ambiente <command>chroot</command> (mesmo seguindo as dependências do pacote e certificar que foi completada). Então, fornecer as aplicações dos usuários é bem mais fácil."

msgid "To set up the environment using <command>makejail</command>'s provided examples, just create <filename>/var/chroot/sshd</filename> and use the command:"
msgstr ""

msgid "\n"
"  # makejail /usr/share/doc/makejail/examples/sshd.py"
msgstr "\n"
"  # makejail /usr/share/doc/makejail/examples/sshd.py"

msgid "This will setup the chroot in the <filename>/var/chroot/sshd</filename> directory. Notice that this chroot will not fully work unless you:"
msgstr ""

msgid "Mount the <emphasis>procfs</emphasis> filesystem in <filename>/var/chroot/sshd/proc</filename>. <command>Makejail</command> will mount it for you but if the system reboots you need to remount it running:"
msgstr ""

msgid "\n"
"# mount -t proc proc /var/chroot/sshd/proc"
msgstr "\n"
"# mount -t proc proc /var/chroot/sshd/proc"

msgid "You can also have it be mounted automatically by editing <filename>/etc/fstab</filename> and including this line:"
msgstr ""

msgid "\n"
"proc-ssh /var/chroot/sshd/proc  proc none 0 0"
msgstr "\n"
"proc-ssh /var/chroot/sshd/proc  proc none 0 0"

msgid "Have syslog listen to the device <filename>/dev/log</filename> inside the chroot. In order to do this you have modify <filename>/etc/default/syslogd</filename> and add <emphasis>-a /var/chroot/sshd/dev/log</emphasis> to the <varname>SYSLOGD</varname> variable definition."
msgstr ""

msgid "Read the sample file to see what other changes need to be made to the environment. Some of these changes, such as copying user's home directories, cannot be done automatically. Also, limit the exposure of sensitive information by only copying the data from a given number of users from the files <filename>/etc/shadow</filename> or <filename>/etc/group</filename>. Notice that if you are using Privilege Separation the <emphasis>sshd</emphasis> user needs to exist in those files."
msgstr "Leia o arquivo exemplo para ver que outras mudanças devem ser feitas para o ambiente. Algumas dessas mudanças, como copiar os diretórios home do usuário, não podem ser feitas automaticamente. Também limite a exposição de informações sensíveis, copiando os dados de um certo número de usuários dos arquivos <filename>/etc/shadow</filename> ou <filename>/etc/group</filename>."

msgid "The following sample environment has been (slightly) tested in Debian 3.0 and is built with the configuration file provided in the package and includes the <package>fileutils</package> package:"
msgstr "O seguinte exemplo de ambiente tem sido (levemente) testado, foi construído com o arquivo de configuração fornecido no pacote e inclue o pacote <package>fileutils</package>:"

msgid ""
"\n"
".\n"
"|-- bin\n"
"|   |-- ash\n"
"|   |-- bash\n"
"|   |-- chgrp\n"
"|   |-- chmod\n"
"|   |-- chown\n"
"|   |-- cp\n"
"|   |-- csh -&gt; /etc/alternatives/csh\n"
"|   |-- dd\n"
"|   |-- df\n"
"|   |-- dir\n"
"|   |-- fdflush\n"
"|   |-- ksh\n"
"|   |-- ln\n"
"|   |-- ls\n"
"|   |-- mkdir\n"
"|   |-- mknod\n"
"|   |-- mv\n"
"|   |-- rbash -&gt; bash\n"
"|   |-- rm\n"
"|   |-- rmdir\n"
"|   |-- sh -&gt; bash\n"
"|   |-- sync\n"
"|   |-- tcsh\n"
"|   |-- touch\n"
"|   |-- vdir\n"
"|   |-- zsh -&gt; /etc/alternatives/zsh\n"
"|   `-- zsh4\n"
"|-- dev\n"
"|   |-- null\n"
"|   |-- ptmx\n"
"|   |-- pts\n"
"|   |-- ptya0\n"
"(...)\n"
"|   |-- tty\n"
"|   |-- tty0\n"
"(...)\n"
"|   `-- urandom\n"
"|-- etc\n"
"|   |-- alternatives\n"
"|   |   |-- csh -&gt; /bin/tcsh\n"
"|   |   `-- zsh -&gt; /bin/zsh4\n"
"|   |-- environment\n"
"|   |-- hosts\n"
"|   |-- hosts.allow\n"
"|   |-- hosts.deny\n"
"|   |-- ld.so.conf\n"
"|   |-- localtime -&gt; /usr/share/zoneinfo/Europe/Madrid\n"
"|   |-- motd\n"
"|   |-- nsswitch.conf\n"
"|   |-- pam.conf\n"
"|   |-- pam.d\n"
"|   |   |-- other\n"
"|   |   `-- ssh\n"
"|   |-- passwd\n"
"|   |-- resolv.conf\n"
"|   |-- security\n"
"|   |   |-- access.conf\n"
"|   |   |-- chroot.conf\n"
"|   |   |-- group.conf\n"
"|   |   |-- limits.conf\n"
"|   |   |-- pam_env.conf\n"
"|   |   `-- time.conf\n"
"|   |-- shadow\n"
"|   |-- shells\n"
"|   `-- ssh\n"
"|       |-- moduli\n"
"|       |-- ssh_host_dsa_key\n"
"|       |-- ssh_host_dsa_key.pub\n"
"|       |-- ssh_host_rsa_key\n"
"|       |-- ssh_host_rsa_key.pub\n"
"|       `-- sshd_config\n"
"|-- home\n"
"|   `-- userX\n"
"|-- lib\n"
"|   |-- ld-2.2.5.so\n"
"|   |-- ld-linux.so.2 -&gt; ld-2.2.5.so\n"
"|   |-- libc-2.2.5.so\n"
"|   |-- libc.so.6 -&gt; libc-2.2.5.so\n"
"|   |-- libcap.so.1 -&gt; libcap.so.1.10\n"
"|   |-- libcap.so.1.10\n"
"|   |-- libcrypt-2.2.5.so\n"
"|   |-- libcrypt.so.1 -&gt; libcrypt-2.2.5.so\n"
"|   |-- libdl-2.2.5.so\n"
"|   |-- libdl.so.2 -&gt; libdl-2.2.5.so\n"
"|   |-- libm-2.2.5.so\n"
"|   |-- libm.so.6 -&gt; libm-2.2.5.so\n"
"|   |-- libncurses.so.5 -&gt; libncurses.so.5.2\n"
"|   |-- libncurses.so.5.2\n"
"|   |-- libnsl-2.2.5.so\n"
"|   |-- libnsl.so.1 -&gt; libnsl-2.2.5.so\n"
"|   |-- libnss_compat-2.2.5.so\n"
"|   |-- libnss_compat.so.2 -&gt; libnss_compat-2.2.5.so\n"
"|   |-- libnss_db-2.2.so\n"
"|   |-- libnss_db.so.2 -&gt; libnss_db-2.2.so\n"
"|   |-- libnss_dns-2.2.5.so\n"
"|   |-- libnss_dns.so.2 -&gt; libnss_dns-2.2.5.so\n"
"|   |-- libnss_files-2.2.5.so\n"
"|   |-- libnss_files.so.2 -&gt; libnss_files-2.2.5.so\n"
"|   |-- libnss_hesiod-2.2.5.so\n"
"|   |-- libnss_hesiod.so.2 -&gt; libnss_hesiod-2.2.5.so\n"
"|   |-- libnss_nis-2.2.5.so\n"
"|   |-- libnss_nis.so.2 -&gt; libnss_nis-2.2.5.so\n"
"|   |-- libnss_nisplus-2.2.5.so\n"
"|   |-- libnss_nisplus.so.2 -&gt; libnss_nisplus-2.2.5.so\n"
"|   |-- libpam.so.0 -&gt; libpam.so.0.72\n"
"|   |-- libpam.so.0.72\n"
"|   |-- libpthread-0.9.so\n"
"|   |-- libpthread.so.0 -&gt; libpthread-0.9.so\n"
"|   |-- libresolv-2.2.5.so\n"
"|   |-- libresolv.so.2 -&gt; libresolv-2.2.5.so\n"
"|   |-- librt-2.2.5.so\n"
"|   |-- librt.so.1 -&gt; librt-2.2.5.so\n"
"|   |-- libutil-2.2.5.so\n"
"|   |-- libutil.so.1 -&gt; libutil-2.2.5.so\n"
"|   |-- libwrap.so.0 -&gt; libwrap.so.0.7.6\n"
"|   |-- libwrap.so.0.7.6\n"
"|   `-- security\n"
"|       |-- pam_access.so\n"
"|       |-- pam_chroot.so\n"
"|       |-- pam_deny.so\n"
"|       |-- pam_env.so\n"
"|       |-- pam_filter.so\n"
"|       |-- pam_ftp.so\n"
"|       |-- pam_group.so\n"
"|       |-- pam_issue.so\n"
"|       |-- pam_lastlog.so\n"
"|       |-- pam_limits.so\n"
"|       |-- pam_listfile.so\n"
"|       |-- pam_mail.so\n"
"|       |-- pam_mkhomedir.so\n"
"|       |-- pam_motd.so\n"
"|       |-- pam_nologin.so\n"
"|       |-- pam_permit.so\n"
"|       |-- pam_rhosts_auth.so\n"
"|       |-- pam_rootok.so\n"
"|       |-- pam_securetty.so\n"
"|       |-- pam_shells.so\n"
"|       |-- pam_stress.so\n"
"|       |-- pam_tally.so\n"
"|       |-- pam_time.so\n"
"|       |-- pam_unix.so\n"
"|       |-- pam_unix_acct.so -&gt; pam_unix.so\n"
"|       |-- pam_unix_auth.so -&gt; pam_unix.so\n"
"|       |-- pam_unix_passwd.so -&gt; pam_unix.so\n"
"|       |-- pam_unix_session.so -&gt; pam_unix.so\n"
"|       |-- pam_userdb.so\n"
"|       |-- pam_warn.so\n"
"|       `-- pam_wheel.so\n"
"|-- sbin\n"
"|   `-- start-stop-daemon\n"
"|-- usr\n"
"|   |-- bin\n"
"|   |   |-- dircolors\n"
"|   |   |-- du\n"
"|   |   |-- install\n"
"|   |   |-- link\n"
"|   |   |-- mkfifo\n"
"|   |   |-- shred\n"
"|   |   |-- touch -&gt; /bin/touch\n"
"|   |   `-- unlink\n"
"|   |-- lib\n"
"|   |   |-- libcrypto.so.0.9.6\n"
"|   |   |-- libdb3.so.3 -&gt; libdb3.so.3.0.2\n"
"|   |   |-- libdb3.so.3.0.2\n"
"|   |   |-- libz.so.1 -&gt; libz.so.1.1.4\n"
"|   |   `-- libz.so.1.1.4\n"
"|   |-- sbin\n"
"|   |   `-- sshd\n"
"|   `-- share\n"
"|       |-- locale\n"
"|       |   `-- es\n"
"|       |       |-- LC_MESSAGES\n"
"|       |       |   |-- fileutils.mo\n"
"|       |       |   |-- libc.mo\n"
"|       |       |   `-- sh-utils.mo\n"
"|       |       `-- LC_TIME -&gt; LC_MESSAGES\n"
"|       `-- zoneinfo\n"
"|           `-- Europe\n"
"|               `-- Madrid\n"
"`-- var\n"
"    `-- run\n"
"        |-- sshd\n"
"        `-- sshd.pid\n"
"\n"
"27 directories, 733 files"
msgstr ""
"\n"
".\n"
"|-- bin\n"
"|   |-- ash\n"
"|   |-- bash\n"
"|   |-- chgrp\n"
"|   |-- chmod\n"
"|   |-- chown\n"
"|   |-- cp\n"
"|   |-- csh -> /etc/alternatives/csh\n"
"|   |-- dd\n"
"|   |-- df\n"
"|   |-- dir\n"
"|   |-- fdflush\n"
"|   |-- ksh\n"
"|   |-- ln\n"
"|   |-- ls\n"
"|   |-- mkdir\n"
"|   |-- mknod\n"
"|   |-- mv\n"
"|   |-- rbash -> bash\n"
"|   |-- rm\n"
"|   |-- rmdir\n"
"|   |-- sh -> bash\n"
"|   |-- sync\n"
"|   |-- tcsh\n"
"|   |-- touch\n"
"|   |-- vdir\n"
"|   |-- zsh -> /etc/alternatives/zsh\n"
"|   `-- zsh4\n"
"|-- dev\n"
"|   |-- null\n"
"|   |-- ptmx\n"
"|   |-- pts\n"
"|   |-- ptya0\n"
"(...)\n"
"|   |-- tty\n"
"|   |-- tty0\n"
"(...)\n"
"|   `-- urandom\n"
"|-- etc\n"
"|   |-- alternatives\n"
"|   |   |-- csh -> /bin/tcsh\n"
"|   |   `-- zsh -> /bin/zsh4\n"
"|   |-- environment\n"
"|   |-- hosts\n"
"|   |-- hosts.allow\n"
"|   |-- hosts.deny\n"
"|   |-- ld.so.conf\n"
"|   |-- localtime -> /usr/share/zoneinfo/Europe/Madrid\n"
"|   |-- motd\n"
"|   |-- nsswitch.conf\n"
"|   |-- pam.conf\n"
"|   |-- pam.d\n"
"|   |   |-- other\n"
"|   |   `-- ssh\n"
"|   |-- passwd\n"
"|   |-- resolv.conf\n"
"|   |-- security\n"
"|   |   |-- access.conf\n"
"|   |   |-- chroot.conf\n"
"|   |   |-- group.conf\n"
"|   |   |-- limits.conf\n"
"|   |   |-- pam_env.conf\n"
"|   |   `-- time.conf\n"
"|   |-- shadow\n"
"|   |-- shells\n"
"|   `-- ssh\n"
"|       |-- moduli\n"
"|       |-- ssh_host_dsa_key\n"
"|       |-- ssh_host_dsa_key.pub\n"
"|       |-- ssh_host_rsa_key\n"
"|       |-- ssh_host_rsa_key.pub\n"
"|       `-- sshd_config\n"
"|-- home\n"
"|   `-- userX\n"
"|-- lib\n"
"|   |-- ld-2.2.5.so\n"
"|   |-- ld-linux.so.2 -> ld-2.2.5.so\n"
"|   |-- libc-2.2.5.so\n"
"|   |-- libc.so.6 -> libc-2.2.5.so\n"
"|   |-- libcap.so.1 -> libcap.so.1.10\n"
"|   |-- libcap.so.1.10\n"
"|   |-- libcrypt-2.2.5.so\n"
"|   |-- libcrypt.so.1 -> libcrypt-2.2.5.so\n"
"|   |-- libdl-2.2.5.so\n"
"|   |-- libdl.so.2 -> libdl-2.2.5.so\n"
"|   |-- libm-2.2.5.so\n"
"|   |-- libm.so.6 -> libm-2.2.5.so\n"
"|   |-- libncurses.so.5 -> libncurses.so.5.2\n"
"|   |-- libncurses.so.5.2\n"
"|   |-- libnsl-2.2.5.so\n"
"|   |-- libnsl.so.1 -> libnsl-2.2.5.so\n"
"|   |-- libnss_compat-2.2.5.so\n"
"|   |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so\n"
"|   |-- libnss_db-2.2.so\n"
"|   |-- libnss_db.so.2 -> libnss_db-2.2.so\n"
"|   |-- libnss_dns-2.2.5.so\n"
"|   |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so\n"
"|   |-- libnss_files-2.2.5.so\n"
"|   |-- libnss_files.so.2 -> libnss_files-2.2.5.so\n"
"|   |-- libnss_hesiod-2.2.5.so\n"
"|   |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so\n"
"|   |-- libnss_nis-2.2.5.so\n"
"|   |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so\n"
"|   |-- libnss_nisplus-2.2.5.so\n"
"|   |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so\n"
"|   |-- libpam.so.0 -> libpam.so.0.72\n"
"|   |-- libpam.so.0.72\n"
"|   |-- libpthread-0.9.so\n"
"|   |-- libpthread.so.0 -> libpthread-0.9.so\n"
"|   |-- libresolv-2.2.5.so\n"
"|   |-- libresolv.so.2 -> libresolv-2.2.5.so\n"
"|   |-- librt-2.2.5.so\n"
"|   |-- librt.so.1 -> librt-2.2.5.so\n"
"|   |-- libutil-2.2.5.so\n"
"|   |-- libutil.so.1 -> libutil-2.2.5.so\n"
"|   |-- libwrap.so.0 -> libwrap.so.0.7.6\n"
"|   |-- libwrap.so.0.7.6\n"
"|   `-- security\n"
"|       |-- pam_access.so\n"
"|       |-- pam_chroot.so\n"
"|       |-- pam_deny.so\n"
"|       |-- pam_env.so\n"
"|       |-- pam_filter.so\n"
"|       |-- pam_ftp.so\n"
"|       |-- pam_group.so\n"
"|       |-- pam_issue.so\n"
"|       |-- pam_lastlog.so\n"
"|       |-- pam_limits.so\n"
"|       |-- pam_listfile.so\n"
"|       |-- pam_mail.so\n"
"|       |-- pam_mkhomedir.so\n"
"|       |-- pam_motd.so\n"
"|       |-- pam_nologin.so\n"
"|       |-- pam_permit.so\n"
"|       |-- pam_rhosts_auth.so\n"
"|       |-- pam_rootok.so\n"
"|       |-- pam_securetty.so\n"
"|       |-- pam_shells.so\n"
"|       |-- pam_stress.so\n"
"|       |-- pam_tally.so\n"
"|       |-- pam_time.so\n"
"|       |-- pam_unix.so\n"
"|       |-- pam_unix_acct.so -> pam_unix.so\n"
"|       |-- pam_unix_auth.so -> pam_unix.so\n"
"|       |-- pam_unix_passwd.so -> pam_unix.so\n"
"|       |-- pam_unix_session.so -> pam_unix.so\n"
"|       |-- pam_userdb.so\n"
"|       |-- pam_warn.so\n"
"|       `-- pam_wheel.so\n"
"|-- sbin\n"
"|   `-- start-stop-daemon\n"
"|-- usr\n"
"|   |-- bin\n"
"|   |   |-- dircolors\n"
"|   |   |-- du\n"
"|   |   |-- install\n"
"|   |   |-- link\n"
"|   |   |-- mkfifo\n"
"|   |   |-- shred\n"
"|   |   |-- touch -> /bin/touch\n"
"|   |   `-- unlink\n"
"|   |-- lib\n"
"|   |   |-- libcrypto.so.0.9.6\n"
"|   |   |-- libdb3.so.3 -> libdb3.so.3.0.2\n"
"|   |   |-- libdb3.so.3.0.2\n"
"|   |   |-- libz.so.1 -> libz.so.1.1.4\n"
"|   |   `-- libz.so.1.1.4\n"
"|   |-- sbin\n"
"|   |   `-- sshd\n"
"|   `-- share\n"
"|       |-- locale\n"
"|       |   `-- es\n"
"|       |       |-- LC_MESSAGES\n"
"|       |       |   |-- fileutils.mo\n"
"|       |       |   |-- libc.mo\n"
"|       |       |   `-- sh-utils.mo\n"
"|       |       `-- LC_TIME -> LC_MESSAGES\n"
"|       `-- zoneinfo\n"
"|           `-- Europe\n"
"|               `-- Madrid\n"
"`-- var\n"
"    `-- run\n"
"        |-- sshd\n"
"        `-- sshd.pid\n"
"\n"
"27 directories, 733 files"

msgid "For Debian release 3.1 you have to make sure that the environment includes also the common files for PAM. The following files need to be copied over to the chroot if <command>makejail</command> did not do it for you:"
msgstr ""

msgid ""
"\n"
"$ ls /etc/pam.d/common-*\n"
"/etc/pam.d/common-account  /etc/pam.d/common-password\n"
"/etc/pam.d/common-auth     /etc/pam.d/common-session"
msgstr ""
"\n"
"$ ls /etc/pam.d/common-*\n"
"/etc/pam.d/common-account  /etc/pam.d/common-password\n"
"/etc/pam.d/common-auth     /etc/pam.d/common-session"

msgid "Manually creating the environment (the hard way)"
msgstr ""

msgid "It is possible to create an environment, using a trial-and-error method, by monitoring the <command>sshd</command> server traces and log files in order to determine the necessary files. The following environment, contributed by José Luis Ledesma, is a sample listing of files in a <command>chroot</command> environment for <command>ssh</command> in Debian woody (3.0): <footnote><para> Notice that there are no SETUID files. This makes it more difficult for remote users to escape the <command>chroot</command> environment. However, it also prevents users from changing their passwords, since the <command>passwd</command> program cannot modify the files <filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>. </para></footnote>"
msgstr "É possível criar um ambiente, usando o método de tentativa e erro, seguindo a execução do servidor <command>sshd</command> e arquivos de log para determinar os arquivos necessários. O seguinte ambiente, contribuído por José Luis Ledesma, é uma listagem amostral do arquivos que estão no ambiente <command>chroot</command> para o <command>ssh</command>: <footnote><para>Observe que não existem arquivos SETUID. Isso torna mais difícil para usuários remotos fugir o ambiente <command>chroot</command>. Entretanto, isso também previne que os usuários alterem suas senhas, já que o programa <command>passwd</command> não pode modificar os arquivos <filename>/etc/passwd</filename> ou <filename>/etc/shadow</filename>.</para></footnote>"

msgid ""
"\n"
".:\n"
"total 36\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./\n"
"drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/\n"
"drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/\n"
"./bin:\n"
"total 8368\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p*\n"
"-rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash*\n"
"-rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph*\n"
"-rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp*\n"
"-rwxr-xr-x 1 root root 6956 Jun 3 13:46 env*\n"
"-rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps*\n"
"-rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter*\n"
"-rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover*\n"
"-rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail*\n"
"-rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm*\n"
"-rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat*\n"
"-rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep*\n"
"-rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph*\n"
"-rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs*\n"
"-rwxr-xr-x 1 root root 10420 Jun 3 13:46 id*\n"
"-rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd*\n"
"-rwxr-xr-x 1 root root 111386 Jun 4 11:46 less*\n"
"-r-xr-xr-x 1 root root 26168 Jun 3 13:45 login*\n"
"-rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls*\n"
"-rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir*\n"
"-rwxr-xr-x 1 root root 24780 Jun 3 13:45 more*\n"
"-rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb*\n"
"-rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd*\n"
"-rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm*\n"
"-rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html*\n"
"-rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex*\n"
"-rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man*\n"
"-rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text*\n"
"-rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage*\n"
"-rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker*\n"
"-rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect*\n"
"-r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps*\n"
"-rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct*\n"
"-rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd*\n"
"-rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr*\n"
"-rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm*\n"
"-rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir*\n"
"-rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p*\n"
"-rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp*\n"
"-rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax*\n"
"-rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage*\n"
"-rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp*\n"
"-rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh*\n"
"-rws--x--x 1 root root 744500 Jun 3 13:46 slogin*\n"
"-rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain*\n"
"-rws--x--x 1 root root 744500 Jun 3 13:46 ssh*\n"
"-rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add*\n"
"-rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent*\n"
"-rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen*\n"
"-rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan*\n"
"-rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa*\n"
"-rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace*\n"
"-rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph*\n"
"-rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail*\n"
"-rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty*\n"
"-rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd*\n"
"-rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi*\n"
"-rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami*\n"
"./dev:\n"
"total 8\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom\n"
"./etc:\n"
"total 208\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rw------- 1 root root 0 Jun 4 11:46 .pwd.lock\n"
"-rw-r--r-- 1 root root 653 Jun 3 13:46 group\n"
"-rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf\n"
"-rw-r--r-- 1 root root 857 Jun 4 12:04 hosts\n"
"-rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache\n"
"-rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf\n"
"-rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~\n"
"-rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli\n"
"-rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/\n"
"-rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf\n"
"-rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd\n"
"-rw-r--r-- 1 root root 7228 Jun 3 13:48 profile\n"
"-rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols\n"
"-rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf\n"
"drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/\n"
"-rw-r----- 1 root root 1178 Jun 4 11:51 shadow\n"
"-rw------- 1 root root 80 Jun 4 11:45 shadow-\n"
"-rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old\n"
"-rw-r--r-- 1 root root 161 Jun 3 13:46 shells\n"
"-rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config\n"
"-rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key\n"
"-rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub\n"
"-rw------- 1 root root 527 Jun 3 13:46 ssh_host_key\n"
"-rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub\n"
"-rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key\n"
"-rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub\n"
"-rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config\n"
"./etc/pam.d:\n"
"total 24\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n"
"lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -&gt; sshd\n"
"-rw-r--r-- 1 root root 318 Jun 3 13:46 passwd\n"
"-rw-r--r-- 1 root root 546 Jun 4 11:36 ssh\n"
"-rw-r--r-- 1 root root 479 Jun 4 12:02 sshd\n"
"-rw-r--r-- 1 root root 370 Jun 3 13:46 su\n"
"./etc/security:\n"
"total 32\n"
"drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n"
"-rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf\n"
"-rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf\n"
"-rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf\n"
"-rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf\n"
"-rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf\n"
"-rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf\n"
"./lib:\n"
"total 8316\n"
"drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm\n"
"-rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd\n"
"-rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi\n"
"-rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2*\n"
"-rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6*\n"
"lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -&gt; libcrack.so.2.7*\n"
"lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -&gt; libcrack.so.2.7*\n"
"-rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7*\n"
"-rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1*\n"
"-rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2*\n"
"-rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0*\n"
"lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -&gt; libncurses.so.4.2*\n"
"-rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2*\n"
"lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -&gt; libncurses.so.5.0*\n"
"-rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0*\n"
"-rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1*\n"
"-rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1*\n"
"-rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2*\n"
"-rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1*\n"
"-rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2*\n"
"-rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2*\n"
"-rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1*\n"
"-rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2*\n"
"-rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1*\n"
"-rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2*\n"
"-rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2*\n"
"lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -&gt; libpam.so.0.72*\n"
"-rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72*\n"
"lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 -&gt;\n"
"libpam_misc.so.0.72*\n"
"-rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72*\n"
"lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -&gt; libpamc.so.0.72*\n"
"-rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72*\n"
"-rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0*\n"
"-rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1*\n"
"-rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a*\n"
"lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -&gt; libz.so.1.1.3*\n"
"lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -&gt; libz.so.1.1.3*\n"
"-rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3*\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/\n"
"./lib/security:\n"
"total 668\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./\n"
"drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../\n"
"-rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so*\n"
"-rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so*\n"
"-rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so*\n"
"-rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so*\n"
"-rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so*\n"
"-rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so*\n"
"-rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so*\n"
"-rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so*\n"
"-rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so*\n"
"-rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so*\n"
"-rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so*\n"
"-rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so*\n"
"-rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so*\n"
"-rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so*\n"
"-rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so*\n"
"-rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so*\n"
"-rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so*\n"
"-rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so*\n"
"-rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so*\n"
"-rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so*\n"
"-rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so*\n"
"-rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so*\n"
"-rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so*\n"
"-rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so*\n"
"-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so*\n"
"-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so*\n"
"-rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so*\n"
"-rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so*\n"
"-rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so*\n"
"./sbin:\n"
"total 3132\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest*\n"
"-rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest*\n"
"-rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest*\n"
"-rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig*\n"
"-rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname*\n"
"-rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay*\n"
"-rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend*\n"
"-rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem*\n"
"-rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats*\n"
"-rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server*\n"
"-rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd*\n"
"-rwxr-xr-x 1 root root 30750 Jun 4 11:46 su*\n"
"-rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest*\n"
"-rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest*\n"
"-rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest*\n"
"./tmp:\n"
"total 8\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"./usr:\n"
"total 8\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -&gt; ../bin//\n"
"lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -&gt; ../lib//\n"
"lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -&gt; ../sbin//"
msgstr ""
"\n"
".:\n"
"total 36\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./\n"
"drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/\n"
"drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/\n"
"./bin:\n"
"total 8368\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p*\n"
"-rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash*\n"
"-rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph*\n"
"-rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp*\n"
"-rwxr-xr-x 1 root root 6956 Jun 3 13:46 env*\n"
"-rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps*\n"
"-rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter*\n"
"-rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover*\n"
"-rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail*\n"
"-rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm*\n"
"-rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat*\n"
"-rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep*\n"
"-rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph*\n"
"-rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs*\n"
"-rwxr-xr-x 1 root root 10420 Jun 3 13:46 id*\n"
"-rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd*\n"
"-rwxr-xr-x 1 root root 111386 Jun 4 11:46 less*\n"
"-r-xr-xr-x 1 root root 26168 Jun 3 13:45 login*\n"
"-rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls*\n"
"-rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir*\n"
"-rwxr-xr-x 1 root root 24780 Jun 3 13:45 more*\n"
"-rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb*\n"
"-rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd*\n"
"-rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm*\n"
"-rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html*\n"
"-rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex*\n"
"-rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man*\n"
"-rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text*\n"
"-rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage*\n"
"-rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker*\n"
"-rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect*\n"
"-r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps*\n"
"-rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct*\n"
"-rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd*\n"
"-rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr*\n"
"-rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm*\n"
"-rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir*\n"
"-rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p*\n"
"-rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp*\n"
"-rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax*\n"
"-rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage*\n"
"-rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp*\n"
"-rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh*\n"
"-rws--x--x 1 root root 744500 Jun 3 13:46 slogin*\n"
"-rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain*\n"
"-rws--x--x 1 root root 744500 Jun 3 13:46 ssh*\n"
"-rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add*\n"
"-rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent*\n"
"-rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen*\n"
"-rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan*\n"
"-rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa*\n"
"-rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace*\n"
"-rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph*\n"
"-rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail*\n"
"-rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty*\n"
"-rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd*\n"
"-rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi*\n"
"-rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami*\n"
"./dev:\n"
"total 8\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom\n"
"./etc:\n"
"total 208\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rw------- 1 root root 0 Jun 4 11:46 .pwd.lock\n"
"-rw-r--r-- 1 root root 653 Jun 3 13:46 group\n"
"-rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf\n"
"-rw-r--r-- 1 root root 857 Jun 4 12:04 hosts\n"
"-rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache\n"
"-rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf\n"
"-rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~\n"
"-rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli\n"
"-rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/\n"
"-rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf\n"
"-rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd\n"
"-rw-r--r-- 1 root root 7228 Jun 3 13:48 profile\n"
"-rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols\n"
"-rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf\n"
"drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/\n"
"-rw-r----- 1 root root 1178 Jun 4 11:51 shadow\n"
"-rw------- 1 root root 80 Jun 4 11:45 shadow-\n"
"-rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old\n"
"-rw-r--r-- 1 root root 161 Jun 3 13:46 shells\n"
"-rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config\n"
"-rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key\n"
"-rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub\n"
"-rw------- 1 root root 527 Jun 3 13:46 ssh_host_key\n"
"-rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub\n"
"-rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key\n"
"-rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub\n"
"-rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config\n"
"./etc/pam.d:\n"
"total 24\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n"
"lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd\n"
"-rw-r--r-- 1 root root 318 Jun 3 13:46 passwd\n"
"-rw-r--r-- 1 root root 546 Jun 4 11:36 ssh\n"
"-rw-r--r-- 1 root root 479 Jun 4 12:02 sshd\n"
"-rw-r--r-- 1 root root 370 Jun 3 13:46 su\n"
"./etc/security:\n"
"total 32\n"
"drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n"
"-rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf\n"
"-rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf\n"
"-rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf\n"
"-rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf\n"
"-rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf\n"
"-rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf\n"
"./lib:\n"
"total 8316\n"
"drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm\n"
"-rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd\n"
"-rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi\n"
"-rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2*\n"
"-rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6*\n"
"lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7*\n"
"lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7*\n"
"-rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7*\n"
"-rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1*\n"
"-rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2*\n"
"-rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0*\n"
"lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> libncurses.so.4.2*\n"
"-rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2*\n"
"lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> libncurses.so.5.0*\n"
"-rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0*\n"
"-rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1*\n"
"-rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1*\n"
"-rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2*\n"
"-rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1*\n"
"-rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2*\n"
"-rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2*\n"
"-rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1*\n"
"-rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2*\n"
"-rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1*\n"
"-rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2*\n"
"-rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2*\n"
"lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72*\n"
"-rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72*\n"
"lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 ->\n"
"libpam_misc.so.0.72*\n"
"-rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72*\n"
"lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72*\n"
"-rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72*\n"
"-rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0*\n"
"-rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1*\n"
"-rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a*\n"
"lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3*\n"
"lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3*\n"
"-rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3*\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/\n"
"./lib/security:\n"
"total 668\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./\n"
"drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../\n"
"-rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so*\n"
"-rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so*\n"
"-rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so*\n"
"-rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so*\n"
"-rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so*\n"
"-rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so*\n"
"-rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so*\n"
"-rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so*\n"
"-rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so*\n"
"-rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so*\n"
"-rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so*\n"
"-rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so*\n"
"-rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so*\n"
"-rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so*\n"
"-rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so*\n"
"-rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so*\n"
"-rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so*\n"
"-rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so*\n"
"-rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so*\n"
"-rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so*\n"
"-rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so*\n"
"-rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so*\n"
"-rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so*\n"
"-rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so*\n"
"-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so*\n"
"-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so*\n"
"-rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so*\n"
"-rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so*\n"
"-rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so*\n"
"./sbin:\n"
"total 3132\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest*\n"
"-rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest*\n"
"-rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest*\n"
"-rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig*\n"
"-rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname*\n"
"-rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay*\n"
"-rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend*\n"
"-rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem*\n"
"-rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats*\n"
"-rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server*\n"
"-rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd*\n"
"-rwxr-xr-x 1 root root 30750 Jun 4 11:46 su*\n"
"-rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest*\n"
"-rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest*\n"
"-rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest*\n"
"./tmp:\n"
"total 8\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"./usr:\n"
"total 8\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin//\n"
"lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib//\n"
"lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin//"

msgid "Chroot environment for <application>Apache</application>"
msgstr ""

msgid "Introduction"
msgstr "Introduçao"

msgid "The <command>chroot</command> utility is often used to jail a daemon in a restricted tree. You can use it to insulate services from one another, so that security issues in a software package do not jeopardize the whole server. When using the <command>makejail</command> script, setting up and updating the chrooted tree is much easier."
msgstr "O utilitário <command>chroot</command> é muitas vezes usado para enjaular um daemon dentro de uma estrutura restrita. Voce pode usá-lo para isolar um serviço do outro, desta forma um problema de segurança em um pacote de software específico não interfere em todo o servidor. A utilização do script <command>makejail</command> torna a configuração e atualização da árvore enjaulada muito mais fácil."

msgid "FIXME: Apache can also be chrooted using <ulink url=\"http://www.modsecurity.org\" /> which is available in <package>libapache-mod-security</package> (for Apache 1.x) and <package>libapache2-mod-security</package> (for Apache 2.x)."
msgstr "FIXME: Apache também pode ser enjaulado usando <ulink url=\"http://www.modsecurity.org\" /> que está disponível em <package>libapache-mod-security</package> (para Apache 1.x) e <package>libapache2-mod-security</package> (para Apache 2.x)."

msgid "Licensing"
msgstr "Licença"

msgid "This document is copyright 2002 Alexandre Ratti. It has been dual-licensed and released under the GPL version 2 (GNU General Public License) the GNU-FDL 1.2 (GNU Free Documentation Licence) and is included in this manual with his explicit permission. (from the <ulink name=\"original document\" url=\"http://www.gabuzomeu.net/alex/doc/apache/index-en.html\" />)"
msgstr "This document is copyright 2002 Alexandre Ratti. It has been dual-licensed and released under the GPL version 2 (GNU Public License) the GNU-FDL 1.2 (GNU Free Documentation Licence) and is included in this manual with his explicit permission. (from the <ulink url=\"http://www.gabuzomeu.net/alex/doc/apache/index-en.html\" name=\"original document\" />)"

msgid "Installing the server"
msgstr "Instalando o servidor"

msgid "This procedure was tested on Debian GNU/Linux 3.0 (Woody) with <command>makejail</command> 0.0.4-1 (in Debian/testing)."
msgstr "Este procedimento foi testado no Debian GNU/Linux&nbsp;3.0 (Woody) com <command>makejail</command> 0.0.4-1 (em Debian/testing)."

msgid "Log in as <command>root</command> and create a new jail directory:"
msgstr "Efetue o login como <command>root</command> e crie um novo diretório para jaula:"

msgid "\n"
"$ mkdir -p /var/chroot/apache"
msgstr "\n"
"$ mkdir -p /var/chroot/apache"

msgid "Create a new user and a new group. The chrooted Apache server will run as this user/group, which isn't used for anything else on the system. In this example, both user and group are called <command>chrapach</command>."
msgstr "Crie um novo usuário e novo grupo. O servidor Apache enjaulado irá executar com este usuário/grupo, que não é utilizado para mais nada no sistema. Neste exemplo, ambos usuário e grupo são chamados de <command>chrapach</command>."

msgid ""
" \n"
" $ adduser --home /var/chroot/apache --shell /bin/false \\\n"
" --no-create-home --system --group chrapach\n"
" "
msgstr ""
" \n"
" $ adduser --home /var/chroot/apache --shell /bin/false \\\n"
" --no-create-home --system --group chrapach"
" "

msgid "FIXME: is a new user needed? (Apache already runs as the apache user)"
msgstr "FIXME: é preciso um novo usuário? (Apache já executa como usuário apache)"

msgid "Install Apache as usual on Debian: <literal>apt-get install apache</literal>"
msgstr "Instale o Apache normalmente no Debian: <literal>apt-get install apache</literal>"

msgid "Set up Apache (e.g. define your subdomains, etc.). In the <filename>/etc/apache/httpd.conf</filename> configuration file, set the <emphasis>Group</emphasis> and <emphasis>User</emphasis> options to <literal>chrapach</literal>. Restart Apache and make sure the server is working correctly. Now, stop the Apache daemon."
msgstr "Configure o Apache (por exemplo defina seus subdomínios e etc.). No arquivo de configuração <filename>/etc/apache/httpd.conf</filename>, altere as opções <emphasis>Group</emphasis> e <emphasis>User</emphasis> para <literal>chrapach</literal>. Reinicie o Apache e tenha certeza que o servidor está funcionando corretamente. Agora, pare o daemon do Apache."

msgid "Install <command>makejail</command> (available in Debian/testing for now). You should also install <command>wget</command> and <command>lynx</command> as they will be used by <command>makejail</command> to test the chrooted server: <literal>apt-get install makejail wget lynx</literal>"
msgstr "Instale o <command>makejail</command> (disponível agora no Debian/testing). Você também deve instalar <command>wget</command> e <command>lynx</command>, pois eles serão usados pelo <command>makejail</command> para testar o servidor enjaulado: <literal>apt-get install makejail wget lynx</literal>"

msgid "Copy the sample configuration file for Apache to the <filename>/etc/makejail</filename> directory:"
msgstr "Copie o arquivo de configuração de exemplo para o Apache para o diretório <filename>/etc/makejail</filename>:"

msgid ""
" \n"
" # cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/ \n"
" "
msgstr ""
" \n"
" # cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/"

msgid "Edit <filename>/etc/makejail/apache.py</filename>. You need to change the <emphasis>chroot</emphasis>, <emphasis>users</emphasis> and <emphasis>groups</emphasis> options. To run this version of <command>makejail</command>, you can also add a <command>packages</command> option. See the <ulink name=\"makejail documentation\" url=\"http://www.floc.net/makejail/current/doc/\" />. A sample is shown here:"
msgstr ""

msgid ""
"\n"
"chroot=\"/var/chroot/apache\"\n"
"testCommandsInsideJail=[\"/usr/sbin/apachectl start\"]\n"
"processNames=[\"apache\"]\n"
"testCommandsOutsideJail=[\"wget -r --spider http://localhost/\",\n"
"                         \"lynx --source https://localhost/\"]\n"
"preserve=[\"/var/www\",\n"
"          \"/var/log/apache\",\n"
"          \"/dev/log\"]\n"
"users=[\"chrapach\"]\n"
"groups=[\"chrapach\"]\n"
"packages=[\"apache\", \"apache-common\"]\n"
"userFiles=[\"/etc/password\",\n"
"           \"/etc/shadow\"]\n"
"groupFiles=[\"/etc/group\",\n"
"            \"/etc/gshadow\"]\n"
"forceCopy=[\"/etc/hosts\",\n"
"           \"/etc/mime.types\"]"
msgstr ""
"\n"
"chroot=\"/var/chroot/apache\"\n"
"testCommandsInsideJail=[\"/usr/sbin/apachectl start\"]\n"
"processNames=[\"apache\"]\n"
"testCommandsOutsideJail=[\"wget -r --spider http://localhost/\",\n"
"                         \"lynx --source https://localhost/\"]\n"
"preserve=[\"/var/www\",\n"
"          \"/var/log/apache\",\n"
"          \"/dev/log\"]\n"
"users=[\"chrapach\"]\n"
"groups=[\"chrapach\"]\n"
"packages=[\"apache\", \"apache-common\"]\n"
"userFiles=[\"/etc/password\",\n"
"           \"/etc/shadow\"]\n"
"groupFiles=[\"/etc/group\",\n"
"            \"/etc/gshadow\"]\n"
"forceCopy=[\"/etc/hosts\",\n"
"           \"/etc/mime.types\"]"

msgid "<emphasis>FIXME:</emphasis> some options do not seem to work properly. For instance, <filename>/etc/shadow</filename> and <filename>/etc/gshadow</filename> are not copied, whereas <filename>/etc/password</filename> and <filename>/etc/group</filename> are fully copied instead of being filtered."
msgstr "<emphasis>FIXME:</emphasis> algumas opções parecem não funcionar corretamente. Por exemplo, <filename>/etc/shadow</filename> e <filename>/etc/gshadow</filename> não são copiados, visto que <filename>/etc/password</filename> e <filename>/etc/group</filename> são copiados em vez de serem filtrados."

msgid "Create the chroot tree: <literal>makejail /etc/makejail/apache.py</literal>"
msgstr "Crie a árvore da jaula: <literal>makejail /etc/makejail/apache.py</literal>"

msgid "If <filename>/etc/password</filename> and <filename>/etc/group</filename> were fully copied, type:"
msgstr "Se <filename>/etc/password</filename> e <filename>/etc/group</filename> forem copiados completamente, digite:"

msgid ""
"\n"
"      $ grep chrapach /etc/passwd &gt; /var/chroot/apache/etc/passwd\n"
"      $ grep chrapach /etc/group &gt; /var/chroot/apache/etc/group\n"
"      "
msgstr ""
"\n"
"      $ grep chrapach /etc/passwd &gt; /var/chroot/apache/etc/passwd\n"
"      $ grep chrapach /etc/group &gt; /var/chroot/apache/etc/group"

msgid "to replace them with filtered copies."
msgstr "para substituí-los com as cópias filtradas."

msgid "Copy the Web site pages and the logs into the jail. These files are not copied automatically (see the <emphasis>preserve</emphasis> option in <command>makejail</command>'s configuration file)."
msgstr "Copie as páginas e os logs do site Web dentro da jaula. Estes arquivos não são copiados automaticamente (veja a opção <emphasis>preserve</emphasis> no arquivo de configuração do <command>makejail</command>)."

msgid ""
"\n"
"      # cp -Rp /var/www /var/chroot/apache/var\n"
"      # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache\n"
"      "
msgstr ""
"\n"
"      # cp -Rp /var/www /var/chroot/apache/var\n"
"      # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache\n"
"      "

msgid "Edit the startup script for the system logging daemon so that it also listen to the <filename>/var/chroot/apache/dev/log</filename> socket. In <filename>/etc/default/syslogd</filename>, replace: <literal>SYSLOGD=\"\"</literal> with <literal>SYSLOGD=\" -a /var/chroot/apache/dev/log\"</literal> and restart the daemon (<literal>/etc/init.d/sysklogd restart</literal>)."
msgstr "Edite o script de inicialização para que o daemon de logging do sistema também ouça do socket <filename>/var/chroot/apache/dev/log</filename>. No arquivo <filename>/etc/init.d/sysklogd</filename>, substitua: <literal>SYSLOGD=&quot;&quot;</literal> com <literal>SYSLOGD=&quot; -a /var/chroot/apache/dev/log&quot;</literal> e reinicie o daemon (<literal>/etc/init.d/sysklogd restart</literal>)."

msgid "Edit the Apache startup script (<filename>/etc/init.d/apache</filename>). You might need to make some changes to the default startup script for it to run properly with a chrooted tree. Such as:"
msgstr "Edite o script de inicialização do Apache (<filename>/etc/init.d/apache</filename>). Você pode precisar fazer algumas alterações no script de inicialização padrão para que ele funcione apropriadamente com a árvore enjaulada. Como:"

msgid "set a new <emphasis>CHRDIR</emphasis> variable at the top of the file;"
msgstr "configure uma nova variável <emphasis>CHRDIR</emphasis> no início do arquivo;"

msgid "edit the <emphasis>start</emphasis>, <emphasis>stop</emphasis>, <emphasis>reload</emphasis>, etc. sections;"
msgstr "edite as seções <emphasis>start</emphasis>, <emphasis>stop</emphasis>, <emphasis>reload</emphasis>, etc.;"

msgid "add a line to mount and unmount the <filename>/proc</filename> filesystem within the jail."
msgstr "adicione uma linha para montar e desmontar o sistema de arquivo <filename>/proc</filename> que está dentro da jaula."

msgid ""
"\n"
"#! /bin/bash\n"
"#\n"
"# apache        Start the apache HTTP server.\n"
"#\n"
"\n"
"CHRDIR=/var/chroot/apache\n"
"\n"
"NAME=apache\n"
"PATH=/bin:/usr/bin:/sbin:/usr/sbin\n"
"DAEMON=/usr/sbin/apache\n"
"SUEXEC=/usr/lib/apache/suexec\n"
"PIDFILE=/var/run/$NAME.pid\n"
"CONF=/etc/apache/httpd.conf\n"
"APACHECTL=/usr/sbin/apachectl \n"
"\n"
"trap \"\" 1\n"
"export LANG=C\n"
"export PATH\n"
"\n"
"test -f $DAEMON || exit 0\n"
"test -f $APACHECTL || exit 0\n"
"\n"
"# ensure we don't leak environment vars into apachectl\n"
"APACHECTL=\"env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL\"\n"
"\n"
"if egrep -q -i \"^[[:space:]]*ServerType[[:space:]]+inet\" $CONF\n"
"then\n"
"    exit 0\n"
"fi\n"
"\n"
"case \"$1\" in\n"
"  start)\n"
"    echo -n \"Starting web server: $NAME\"\n"
"    mount -t proc proc /var/chroot/apache/proc\n"
"    start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \\\n"
"      --chroot $CHRDIR\n"
"    ;;\n"
"\n"
"  stop)\n"
"    echo -n \"Stopping web server: $NAME\"\n"
"    start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo\n"
"    umount /var/chroot/apache/proc\n"
"    ;;\n"
"\n"
"  reload)\n"
"    echo -n \"Reloading $NAME configuration\"\n"
"    start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" \\\n"
"      --signal USR1 --startas $DAEMON --chroot $CHRDIR\n"
"    ;;\n"
"\n"
"  reload-modules)\n"
"    echo -n \"Reloading $NAME modules\"\n"
"    start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo \\\n"
"      --retry 30\n"
"    start-stop-daemon --start --pidfile $PIDFILE \\\n"
"      --exec $DAEMON --chroot $CHRDIR\n"
"    ;;\n"
"\n"
"  restart)\n"
"    $0 reload-modules\n"
"    exit $?\n"
"    ;;\n"
"\n"
"  force-reload)\n"
"    $0 reload-modules\n"
"    exit $?\n"
"    ;;\n"
"\n"
"  *)\n"
"    echo \"Usage: /etc/init.d/$NAME {start|stop|reload|reload-modules|force-reload|restart}\"\n"
"    exit 1\n"
"    ;;\n"
"esac\n"
"\n"
"if [ $? == 0 ]; then\n"
"  echo .\n"
"  exit 0\n"
"else\n"
"  echo failed\n"
"  exit 1\n"
"fi"
msgstr ""
"\n"
"#! /bin/bash\n"
"#\n"
"# apache\tStart the apache HTTP server.\n"
"#\n"
"\n"
"CHRDIR=/var/chroot/apache\n"
"\n"
"NAME=apache\n"
"PATH=/bin:/usr/bin:/sbin:/usr/sbin\n"
"DAEMON=/usr/sbin/apache\n"
"SUEXEC=/usr/lib/apache/suexec\n"
"PIDFILE=/var/run/$NAME.pid\n"
"CONF=/etc/apache/httpd.conf\n"
"APACHECTL=/usr/sbin/apachectl \n"
"\n"
"trap \"\" 1\n"
"export LANG=C\n"
"export PATH\n"
"\n"
"test -f $DAEMON || exit 0\n"
"test -f $APACHECTL || exit 0\n"
"\n"
"# ensure we don't leak environment vars into apachectl\n"
"APACHECTL=\"env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL\"\n"
"\n"
"if egrep -q -i \"^[[:space:]]*ServerType[[:space:]]+inet\" $CONF\n"
"then\n"
"    exit 0\n"
"fi\n"
"\n"
"case \"$1\" in\n"
"  start)\n"
"    echo -n \"Starting web server: $NAME\"\n"
"    mount -t proc proc /var/chroot/apache/proc\n"
"    start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \\\n"
"\t--chroot $CHRDIR\n"
"    ;;\n"
"\n"
"  stop)\n"
"    echo -n \"Stopping web server: $NAME\"\n"
"    start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo\n"
"    umount /var/chroot/apache/proc\n"
"    ;;\n"
"\n"
"  reload)\n"
"    echo -n \"Reloading $NAME configuration\"\n"
"    start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" \\\n"
"\t--signal USR1 --startas $DAEMON --chroot $CHRDIR\n"
"    ;;\n"
"\n"
"  reload-modules)\n"
"    echo -n \"Reloading $NAME modules\"\n"
"    start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo \\\n"
"\t--retry 30\n"
"    start-stop-daemon --start --pidfile $PIDFILE \\\n"
"\t--exec $DAEMON --chroot $CHRDIR\n"
"    ;;\n"
"\n"
"  restart)\n"
"    $0 reload-modules\n"
"    exit $?\n"
"    ;;\n"
"\n"
"  force-reload)\n"
"    $0 reload-modules\n"
"    exit $?\n"
"    ;;\n"
"\n"
"  *)\n"
"    echo \"Usage: /etc/init.d/$NAME {start|stop|reload|reload-modules|force-reload|restart}\"\n"
"    exit 1\n"
"    ;;\n"
"esac\n"
"\n"
"if [ $? == 0 ]; then\n"
"\techo .\n"
"\texit 0\n"
"else\n"
"\techo failed\n"
"\texit 1\n"
"fi"

msgid "<emphasis>FIXME</emphasis>: should the first Apache process be run as another user than root (i.e. add --chuid chrapach:chrapach)? Cons: chrapach will need write access to the logs, which is awkward."
msgstr "<emphasis>FIXME</emphasis>: should the first Apache process be run as another user than root (i.e. add --chuid chrapach:chrapach)? Cons: chrapach will need write access to the logs, which is awkward."

msgid "Replace in <filename>/etc/logrotate.d/apache</filename> <literal>/var/log/apache/*.log</literal> with <literal>/var/chroot/apache/var/log/apache/*.log</literal>"
msgstr "Substitua no <filename>/etc/logrotate.d/apache</filename> o <literal>/var/log/apache/*.log</literal> com <literal>/var/chroot/apache/var/log/apache/*.log</literal>"

msgid "Start Apache (<command>/etc/init.d/apache start</command>) and check what is it reported in the jail log (<filename>/var/chroot/apache/var/log/apache/error.log</filename>). If your setup is more complex, (e.g. if you also use PHP and MySQL), files will probably be missing. if some files are not copied automatically by <command>makejail</command>, you can list them in the <emphasis>forceCopy</emphasis> (to copy files directly) or <emphasis>packages</emphasis> (to copy full packages and their dependencies) option the <filename>/etc/makejail/apache.py</filename> configuration file."
msgstr "Inicialize o Apache (<command>/etc/init.d/apache start</command>) e verifique o que está sendo reportado no log da jaula (<filename>/var/chroot/apache/var/log/apache/error.log</filename>). Se a sua configuração for mais complexa (exemplo: se também utiliza PHP e MySQL), alguns arquivos provavelmente estarão faltando. Se estes arquivos não são copiados automaticamente pelo <command>makejail</command>, você pode listá-los com a opção <emphasis>forceCopy</emphasis> (para copiar os arquivos diretamente) ou <emphasis>packages</emphasis> (para copiar pacotes completos e suas dependências) no arquivo de configuração <filename>/etc/makejail/apache.py</filename>."

msgid "Type <literal>ps aux | grep apache</literal> to make sure Apache is running. You should see something like:"
msgstr "Digite <literal>ps aux | grep apache</literal> para ter certeza que o Apache está rodando. Você deve ver algo do tipo:"

msgid ""
"\n"
"      root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
"      "
msgstr ""
"\n"
"      root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
"      chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache"

msgid "Make sure the Apache processes are running chrooted by looking in the <filename>/proc</filename> filesystem: <literal>ls -la /proc/<varname>process_number</varname>/root/.</literal> where <varname>process_number</varname> is one of the PID numbers listed above (2nd column; 189 for instance). The entries for a restricted tree should be listed:"
msgstr "Certifique-se que os processos do Apache estão sendo executados na jaula chroot procurando no sistema de arquivo <filename>/proc</filename>: <literal>ls -la /proc/process_number/root/.</literal> onde <emphasis>process_number</emphasis> é um dos PID listados acima (por exemplo: segunda coluna; PID 189). As entradas para a árvore restrita devem ser listadas:"

msgid ""
"\n"
"    drwxr-sr-x 10 root staff 240 Dec 2 16:06 .\n"
"    drwxrwsr-x 4 root staff 72 Dec 2 08:07 ..\n"
"    drwxr-xr-x 2 root root 144 Dec 2 16:05 bin\n"
"    drwxr-xr-x 2 root root 120 Dec 3 04:03 dev\n"
"    drwxr-xr-x 5 root root 408 Dec 3 04:03 etc\n"
"    drwxr-xr-x 2 root root 800 Dec 2 16:06 lib\n"
"    dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc\n"
"    drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin\n"
"    drwxr-xr-x 6 root root 144 Dec 2 16:04 usr\n"
"    drwxr-xr-x 7 root root 168 Dec 2 16:06 var\n"
"    "
msgstr ""
"\n"
"    drwxr-sr-x 10 root staff 240 Dec 2 16:06 .\n"
"    drwxrwsr-x 4 root staff 72 Dec 2 08:07 ..\n"
"    drwxr-xr-x 2 root root 144 Dec 2 16:05 bin\n"
"    drwxr-xr-x 2 root root 120 Dec 3 04:03 dev\n"
"    drwxr-xr-x 5 root root 408 Dec 3 04:03 etc\n"
"    drwxr-xr-x 2 root root 800 Dec 2 16:06 lib\n"
"    dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc\n"
"    drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin\n"
"    drwxr-xr-x 6 root root 144 Dec 2 16:04 usr\n"
"    drwxr-xr-x 7 root root 168 Dec 2 16:06 var"

msgid "To automate this test, you can type:<literal>ls -la /proc/`cat /var/chroot/apache/var/run/apache.pid`/root/.</literal>"
msgstr "Para automatizar este teste, você pode digitar:<literal>ls -la /proc/`cat /var/chroot/apache/var/run/apache.pid`/root/.</literal>"

msgid "<emphasis>FIXME</emphasis>: Add other tests that can be run to make sure the jail is closed?"
msgstr "<emphasis>FIXME</emphasis>: Add other tests that can be run to make sure the jail is closed?"

msgid "The reason I like this is because setting up the jail is not very difficult and the server can be updated in just two lines:"
msgstr "A razão pela qual eu gosto disso é que a configuração da jaula não é tão complicada e o servidor pode ser atualizado em somente duas linhas:"

msgid ""
" \n"
"apt-get update &amp;&amp; apt-get install apache\n"
"makejail /etc/makejail/apache.py"
msgstr ""
" \n"
"apt-get update &amp;&amp; apt-get install apache\n"
"makejail /etc/makejail/apache.py"

msgid "See also"
msgstr "Veja também"

msgid "If you are looking for more information you can consider these sources of information in which the information presented is based: <ulink name=\"makejail homepage\" url=\"http://www.floc.net/makejail/\" />, this program was written by Alain Tesio"
msgstr ""