Re: bind9-chroot (was: questions on ITP)

To: debian-devel@lists.debian.org
Subject: Re: bind9-chroot (was: questions on ITP)
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Tue, 25 Sep 2001 23:01:12 -0300
Message-id: <[🔎] 20010925230112.A27179@godzillah>
In-reply-to: <[🔎] 20010926095715.A520@mailhost.topic.com.au>; from sam@topic.com.au on Qua, Set 26, 2001 at 09:57:15 +1000
References: <[🔎] 87elozyuaa.fsf@rover.gag.com> <[🔎] 20010923114733.A636@wonderland.linux.it> <[🔎] 20010923162452.A16048@fishbowl.madduck.net> <[🔎] 20010924103154.C2382@salem.getuid.de> <[🔎] 20010924123102.B1027@fishbowl.madduck.net> <[🔎] 20010924225913.G2382@salem.getuid.de> <[🔎] 20010924224803.A4646@godzillah> <[🔎] 20010925101107.A27861@salem.getuid.de> <[🔎] 20010925091537.A8760@godzillah> <[🔎] 20010926095715.A520@mailhost.topic.com.au>

On Wed, 26 Sep 2001, Sam Couter wrote:
> On Tue, 25 Sep 2001, Christian Kurz wrote:
> > But having a link from either the config-files in /etc/bind to $CHROOT
> > or in the other direction, could be in my opinion a security risk.
> 
> Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> > Oh, how so?
> 
> Because the files accessed from within the chroot once it's broken are the
> SAME FILES as on the real system.
> Doesn't that kinda defeat the purpose of having a chroot?

Maybe. But doesn't bind mounts have the same effect (or can one do a
read-only bind mount)?  One has to choose one of two evils: either use
symlinks/bind mounts to have the file being the same, and breaking into the
chroot alows one to modify the file. Or copy the file from the canon
location into the chroot once in a while [which is what I do].

> > Get some sleep. Links from inside the chroot to outside do not work, unless
> > the kernel is fucked up.
> 
> Hard links work fine.

Who would do something as stupid as hardlinking to a file inside a chroot?
Nevermind, I think I'm happier without this bit of info (I keep chroots in a
filesystem of their own for a reason ;) ).

> > <wears QA hat>
> > NEVER. This is not some low-grade distribution where you can go around
> > scattering configuration files all over the filesystem.  I will fight tooth
> > and nail against such an atrocity.
> > </wears QA hat>
> 
> I agree wholeheartedly here.
> 
> I don't see what's so hard about rsync'ing the files from /etc to the
> chroot in the init script each time the daemon is started.

Which is what I do in my chroot scripts, and what postfix does in its chroot
script (and that was exactly the example I gave of "chroot done right" in
sometime ago in this thread).

The only thing better than initializing the chroot from a canon copy, would
be read-only bind mounts, which are not available in the 2.2 kernels at
best.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- Re: bind9-chroot (was: questions on ITP)
  - From: Bdale Garbee <bdale@gag.com>
- Re: bind9-chroot (was: questions on ITP)
  - From: Marco d'Itri <md@Linux.IT>
- Re: bind9-chroot (was: questions on ITP)
  - From: Martin F Krafft <madduck@madduck.net>
- Re: bind9-chroot (was: questions on ITP)
  - From: Christian Kurz <shorty@debian.org>
- Re: bind9-chroot (was: questions on ITP)
  - From: Martin F Krafft <madduck@madduck.net>
- Re: bind9-chroot (was: questions on ITP)
  - From: Christian Kurz <shorty@debian.org>
- Re: bind9-chroot (was: questions on ITP)
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: bind9-chroot (was: questions on ITP)
  - From: Christian Kurz <shorty@debian.org>
- Re: bind9-chroot (was: questions on ITP)
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: bind9-chroot (was: questions on ITP)
  - From: Sam Couter <sam@topic.com.au>

Prev by Date: Re: PROPOSED: slight change to wnpp procedures
Next by Date: Re: PROPOSED: slight change to wnpp procedures
Previous by thread: Re: bind9-chroot (was: questions on ITP)
Next by thread: Re: bind9-chroot (was: questions on ITP)
Index(es):
- Date
- Thread