Re: chroot bind?
> > > Please CC: not subscribe.
On Fri, Apr 20, 2001 at 03:13:33AM -0500, Bryan Andersen wrote:
> Bryan Andersen wrote:
> >
> > Do it under /var/named, this follows other OSes conventions. Another
Problem is that does meet the FHS: "Applications must generally not add
directories to the top level of /var.Such directories should only be
added if they have some system-wide implication, and in consultation
with the FHS mailing list." Which means it doesn't meet the debian
policy.
I think you've right though. Pretty much everyone else uses
/var/named/.
Is there any reason why anyone in debian would complain seriously about
binaries, confiles, and device nodes /var/named for security??
> A neat way I've seen chroot programs done is to leave the executables
> and config files where they are normally, then copy them over to the
> chroot directory tree at startup. Usually there is a consistency
> check to avoid copying, but this way if any files are changed, they
> are refreshed from the originals. All your chroot-bind would need
> is to setup the alternate startup script, and disable the normal
> bind start script in init.
This is actually pretty easy to do, since one can just copy the named
section in openbsd /etc/rc. ;)
The other issue is a consistency check on the named.conf file,
and if some admin puts in absolute directory references.
I'm of the mind of course that chroot bind should be the default. ;)
Nicholas
Reply to: