Re: bind9-chroot (was: questions on ITP)
Sam Couter <firstname.lastname@example.org> writes:
> Because the files accessed from within the chroot once it's broken are the
> SAME FILES as on the real system.
We're not discussing running two binds on a system, one in a chroot
and one not. (Although I think I understand your concern now.)
We're discussing running exactly one bind in a chroot, so that if bind
is exploited, the damage is minimized.
Then, for ease of maintenance, we're discussing symlinking /etc/bind
to /wherever/chroot/etc/bind, so you can edit the configuration files
as if they were in etc.
We're on the same page so far, right?
Your concern seems to be that an attacker would break the bind within
the chroot and edit the configuration files. If the files were copied
from a file outside the chroot (and thus out of their realm to
modify), you think this would add security, right?
It would add as much security to have but one copy of those files
modifiable only by root, read-only by anyone else (ie, the bind
process in the chroot). Then, unless the attacker managed to get root
from bind, they can't modify the files... and if they could get root
from bind, they can break the chroot anyway. (man 2 chroot)
Alan Shutko <email@example.com> - In a variety of flavors!
If *I* had a hammer, there'd be no more folk singers.