Re: chroot bind?
It escaped before being done.
Bryan Andersen wrote:
>
> Nicholas Lee wrote:
> >
> > Please CC: not subscribe.
> >
> > I'm interesting in doing some work to provide a bind-chroot package.
> > (Its in fact pretty simply to copy the openbsd setup.)
> >
> > The basic thing I'm not sure about is how something like this would fit
> > into the debiab policy.
> >
> > ie dev files like /var/named/dev/log and /var/named/dev/null.
> >
> > Config files in /var/named/
>
> Do it under /var/named, this follows other OSes conventions. Another
> reason is if someone does run an exploit against bind the partition they
> are on won't be the root partition if the admin has separated out file
> systems. /etc is almost always on the root partition. /var is often
> separated out onto it's own partition.
A neat way I've seen chroot programs done is to leave the executables
and config files where they are normally, then copy them over to the
chroot directory tree at startup. Usually there is a consistency
check to avoid copying, but this way if any files are changed, they
are refreshed from the originals. All your chroot-bind would need
is to setup the alternate startup script, and disable the normal
bind start script in init.
--
| Bryan Andersen | bryan@visi.com | http://www.nerdvest.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
Reply to: