** On May 24, Stephen Frost scribbled: > On Wed, 24 May 2000, Marco d'Itri wrote: > > > On May 23, Marek Habersack <grendel@vip.net.pl> wrote: > > > > > I'm building for mysle a chrooted bind package. It's gonna be used locally > > >only, but I want it to conform to the Debian Policy Manual/FHS as much as it > > >is possible. My first idea was to put the chroot tree in /usr/local, but > > It's a system dependent choice, there is currently no FHS policy > > regarding chroots. > > > > (BTW, I'm considering writing a tool which automatically maintains and > > updates chroot environments, I think more of our daemons should be > > chrooted. It's a shame our BIND package even runs as root.) > > I would have to agree with this... bind should not be running as root, > and would be best if it was run in a chroot jail. I set it up here and it was > not a very complex process, perhaps once I get more experiance I'll try and do > something to better automate the process. Setting up itself isn't hard. The harder part is to package it that way. I think we should have (assuming more daemons will run chrooted) a separate package providing the chroot framework. I imagine it would provide something like that: /var/chroot/ /var/chroot/lib <- all the libraries go here /var/chroot/etc <- necessary config files The chrooted daemons would be installed in a package/ subdir of the chroot tree, e.g.: /var/chroot/bind and create structure of their own hardlinking the libraries and /etc files from the /var/chroot/ tree (for that to work all of the packages must be on one filesystem). They would run chrooted into their /var/chroot/package/ directory. All packages would require the chroot package (e.g. chroot-base). Comments? marek
Attachment:
pgp5bVZotqcih.pgp
Description: PGP signature