[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bind9-chroot (was: questions on ITP)

also sprach Richard Atterer (on Sat, 22 Sep 2001 03:28:21PM +0200):
> One idea: In a configuration file, the user lists those daemons he
> wants to run chrooted. init.d scripts that support it read this
> information and act on it, copying the required files to a chroot
> before starting the daemon there.

well, you might just use SuSE then...
i don't think this is a good idea. for one, it is not necessary to
copoy the chroot files over and over again with each init.d start.
this interferes with tripwire installations, and it's in violation of
the "never touch a running system" philosophy. even if libc is
updated, if bind runs happily in its chroot. and if some security
patch or otherwise crucial update is pending for a library that bind
also uses, then the bind9 and bind9-chroot packages should be updated
anyway. sure, this requires more work on the maintainer side, but it's
the best way to do it.

> - If I were to put together a "chroot-helper" package, would people be
>   interested in using it for their package?

i don't think a global solution is a good choice here. if i install
bind9-chroot (hypothetically speaking), then bind9 should not possibly
ever run non-chrooted again. this should be done via diversions.

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
you will be run over by a beer truck.

Attachment: pgplnylt0tQLV.pgp
Description: PGP signature

Reply to: