Re: chroot'd daemons

To: Bernd Eckenfels <lists@lina.inka.de>, debian-devel@lists.debian.org
Subject: Re: chroot'd daemons
From: Russell Coker <russell@coker.com.au>
Date: Thu, 2 Sep 1999 18:57:14 +0200
Message-id: <[🔎] 9909021901540A.12133@lyta>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 19990901235732.A19048@lina.inka.de>
References: <19990901003124.A4908@jab.home> <[🔎] 19990901235732.A19048@lina.inka.de>

>> I read in the LSAG, I think, that there is a bind package available for RedHat
>> that runs in a chroot'd environment. Wouldn't it be wise to do the same for
>> some Debian packages too?
>
>Yes, but perhaps it is enough to have a "jail builder" package, so you have
>less data to download. This is something like the ftpd routne which checs if
>the anon dir is populated with recent libs and ls. And of course you need to
>avoid running the daemons as root, which is unfortunatelly needed as long as
>you dont patch kernel or use capablities.

We currently have a fine authbind package which allows us to easily run daemons
such as DNS servers as non-root.
With that setup why do we need to have a chroot() environment for a daemon? 
Surely we can just give it it's own UID and then it can't do much harm if
compromised.

-- 
I'm in Utrecht.  I'd like to meet any Linux users in the area, or any other
part of the Netherlands.

Reply to:

References:
- Re: chroot'd daemons
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: debrsign: a script to REMOTELY sign .changes and .dsc files
Next by Date: Re: Feaping Creature-ism in core Debian Packages
Previous by thread: Re: chroot'd daemons
Next by thread: Re: Herring/dpkg (was Re: Senseless Bickering and Overpoliticization)
Index(es):
- Date
- Thread