Re: chroot'd daemons
>> I read in the LSAG, I think, that there is a bind package available for RedHat
>> that runs in a chroot'd environment. Wouldn't it be wise to do the same for
>> some Debian packages too?
>
>Yes, but perhaps it is enough to have a "jail builder" package, so you have
>less data to download. This is something like the ftpd routne which checs if
>the anon dir is populated with recent libs and ls. And of course you need to
>avoid running the daemons as root, which is unfortunatelly needed as long as
>you dont patch kernel or use capablities.
We currently have a fine authbind package which allows us to easily run daemons
such as DNS servers as non-root.
With that setup why do we need to have a chroot() environment for a daemon?
Surely we can just give it it's own UID and then it can't do much harm if
compromised.
--
I'm in Utrecht. I'd like to meet any Linux users in the area, or any other
part of the Netherlands.
Reply to: