Re: bind9-chroot (was: questions on ITP)
On Tue, 25 Sep 2001, Christian Kurz wrote:
> On 01-09-24 Henrique de Moraes Holschuh wrote:
> > On Mon, 24 Sep 2001, Christian Kurz wrote:
> > > Hm, that doesn't make much sense too me. I think the best thing would be
> > > to have /etc/bind inside $CHROOT and having no symlink.
> > And scratch the second-most important feature of Debian (the first one being
> > the DFSG)? Do Not Move Config Files Out Of /etc. Ever. If you need it
> > elsewhere, at least leave a symbolic link in place.
> But having a link from either the config-files in /etc/bind to $CHROOT
> or in the other direction, could be in my opinion a security risk. In my
Oh, how so?
> opinion there should be absolutely no link from $CHROOT to any file
> outside the chroot. So instead of creating a $CHROOT that contains
Get some sleep. Links from inside the chroot to outside do not work, unless
the kernel is fucked up.
As for Links from outside to inside, please expand on just how they're a
threat to security?
> and would instead suggestion to modify the documents stating that all
> config files should be in /etc to make a exception for $CHROOT.
<wears QA hat>
NEVER. This is not some low-grade distribution where you can go around
scattering configuration files all over the filesystem. I will fight tooth
and nail against such an atrocity.
</wears QA hat>
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot