[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bind9-chroot (was: questions on ITP)

On 01-09-25 Henrique de Moraes Holschuh wrote:
> On Tue, 25 Sep 2001, Christian Kurz wrote:
> > On 01-09-24 Henrique de Moraes Holschuh wrote:
> > > On Mon, 24 Sep 2001, Christian Kurz wrote:
> > > > Hm, that doesn't make much sense too me. I think the best thing would be
> > > > to have /etc/bind inside $CHROOT and having no symlink. 

> > > And scratch the second-most important feature of Debian (the first one being
> > > the DFSG)?  Do Not Move Config Files Out Of /etc. Ever. If you need it
> > > elsewhere, at least leave a symbolic link in place.

> > But having a link from either the config-files in /etc/bind to $CHROOT
> > or in the other direction, could be in my opinion a security risk. In my

> Oh, how so?

I think you know how the method of how to break out of a chroot. Having
some symlink inside the chroot would in my opinion make this task easier
then it normally is. But feel free to prove me wrong.

> > and would instead suggestion to modify the documents stating that all
> > config files should be in /etc to make a exception for $CHROOT.

> <wears QA hat>
> NEVER. This is not some low-grade distribution where you can go around
> scattering configuration files all over the filesystem.  I will fight tooth
> and nail against such an atrocity.
> </wears QA hat>

Well, then we have to find some other way like cp, rsync, or something
else to keep one copy of the files in /etc and one in $CHROOT/etc. Using
mount --bind is like I stated before, no option.

           Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgph_RMNQnnZn.pgp
Description: PGP signature

Reply to: