Re: bind9-chroot (was: questions on ITP)

To: Martin F Krafft <madduck@madduck.net>, debian-devel@lists.debian.org
Subject: Re: bind9-chroot (was: questions on ITP)
From: Bryan Andersen <bryan@visi.com>
Date: Sat, 22 Sep 2001 17:42:23 -0500
Message-id: <[🔎] 3BAD13CF.173ADFB8@visi.com>
Reply-to: bryan@visi.com
References: <[🔎] 20010921164440.E2746@godzillah> <[🔎] 20010922001653.B4439@wonderland.linux.it> <[🔎] 20010922152821.A693@atterer.net> <[🔎] 20010922174657.A20558@fishbowl.madduck.net> <[🔎] 20010921125039.F16430@fishbowl.madduck.net>; <[🔎] 20010921164440.E2746@godzillah> <[🔎] 20010922001653.B4439@wonderland.linux.it> <[🔎] 20010922152821.A693@atterer.net> <[🔎] 20010922173919.A2030@ganymed.informatik.uni-freiburg.de> <[🔎] 20010922220355.A2923@atterer.net> <[🔎] 20010922221157.A6612@fishbowl.madduck.net>

Martin F Krafft wrote:
> 
> also sprach Richard Atterer (on Sat, 22 Sep 2001 10:03:55PM +0200):
> > What alternative possibilities for implementing this do you see? The
> > package will have to contain the necessary chrooting script somewhere,
> > and the admin will have to perform some action to trigger its
> > execution. After he has done that, the init.d script should execute
> > the chrooted daemon.
> 
> i believe that chroot should be an install time choice, not a runtime
> one (as in config script).

For the long term, this is the safer choice.

For even better security, just make the standard install chrooted
if it is of wise security reasons to.  I've long questioned why 
this hasn't been done for many daemons already.  I know some people
may feel that because it breaks something or another one shouldn't
do this, but I know bind doesn't break anything by being chrooted.
What about others?

-- 
|  Bryan Andersen   |   bryan@visi.com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

Reply to:

Follow-Ups:
- Re: bind9-chroot (was: questions on ITP)
  - From: Martin F Krafft <madduck@madduck.net>
- Re: bind9-chroot
  - From: Herbert Xu <herbert@gondor.apana.org.au>

References:
- Re: bind9-chroot (was: questions on ITP)
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: bind9-chroot (was: questions on ITP)
  - From: Marco d'Itri <md@Linux.IT>
- Re: bind9-chroot (was: questions on ITP)
  - From: Richard Atterer <deb-devel@list.atterer.net>
- Re: bind9-chroot (was: questions on ITP)
  - From: Martin F Krafft <madduck@madduck.net>
- bind9-chroot (was: questions on ITP)
  - From: Martin F Krafft <madduck@madduck.net>
- Re: bind9-chroot (was: questions on ITP)
  - From: "Bernhard R. Link" <blink@informatik.uni-freiburg.de>
- Re: bind9-chroot (was: questions on ITP)
  - From: Richard Atterer <deb-devel@list.atterer.net>
- Re: bind9-chroot (was: questions on ITP)
  - From: Martin F Krafft <madduck@madduck.net>

Prev by Date: Re: New attempt to build debhelper 3 for potato
Next by Date: Re: bind9-chroot (was: questions on ITP)
Previous by thread: Re: bind9-chroot (was: questions on ITP)
Next by thread: Re: bind9-chroot (was: questions on ITP)
Index(es):
- Date
- Thread