Re: bind9-chroot (was: questions on ITP)
On Wed, 26 Sep 2001, Sam Couter wrote:
> On Tue, 25 Sep 2001, Christian Kurz wrote:
> > But having a link from either the config-files in /etc/bind to $CHROOT
> > or in the other direction, could be in my opinion a security risk.
> Henrique de Moraes Holschuh <email@example.com> wrote:
> > Oh, how so?
> Because the files accessed from within the chroot once it's broken are the
> SAME FILES as on the real system.
> Doesn't that kinda defeat the purpose of having a chroot?
Maybe. But doesn't bind mounts have the same effect (or can one do a
read-only bind mount)? One has to choose one of two evils: either use
symlinks/bind mounts to have the file being the same, and breaking into the
chroot alows one to modify the file. Or copy the file from the canon
location into the chroot once in a while [which is what I do].
> > Get some sleep. Links from inside the chroot to outside do not work, unless
> > the kernel is fucked up.
> Hard links work fine.
Who would do something as stupid as hardlinking to a file inside a chroot?
Nevermind, I think I'm happier without this bit of info (I keep chroots in a
filesystem of their own for a reason ;) ).
> > <wears QA hat>
> > NEVER. This is not some low-grade distribution where you can go around
> > scattering configuration files all over the filesystem. I will fight tooth
> > and nail against such an atrocity.
> > </wears QA hat>
> I agree wholeheartedly here.
> I don't see what's so hard about rsync'ing the files from /etc to the
> chroot in the init script each time the daemon is started.
Which is what I do in my chroot scripts, and what postfix does in its chroot
script (and that was exactly the example I gave of "chroot done right" in
sometime ago in this thread).
The only thing better than initializing the chroot from a canon copy, would
be read-only bind mounts, which are not available in the 2.2 kernels at
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot