[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chroot'd daemons

>> I read in the LSAG, I think, that there is a bind package available for RedHat
>> that runs in a chroot'd environment. Wouldn't it be wise to do the same for
>> some Debian packages too?
>Yes, but perhaps it is enough to have a "jail builder" package, so you have
>less data to download. This is something like the ftpd routne which checs if
>the anon dir is populated with recent libs and ls. And of course you need to
>avoid running the daemons as root, which is unfortunatelly needed as long as
>you dont patch kernel or use capablities.

We currently have a fine authbind package which allows us to easily run daemons
such as DNS servers as non-root.
With that setup why do we need to have a chroot() environment for a daemon? 
Surely we can just give it it's own UID and then it can't do much harm if

I'm in Utrecht.  I'd like to meet any Linux users in the area, or any other
part of the Netherlands.

Reply to: