On Fri, Sep 28, 2001 at 10:15:09AM +0200, Christian Kurz wrote: > > lets not exaggerate, the only distribution i know that actually > > Where I'm an exaggerating, I'm just describing the problem and how one > possible one to handle it would be. you are making grandiose claims that people will abandon debian in droves to use other distros if debian does not supply quick and automatic chroot options for bind. i counter that the other distributions don't chroot bind by default nor offer chroot as an option, you have to do it manually. so why would someone abandon debian if they have to do a chroot config manually under 2.2 kernels when they have to do it manually on all the other dists no matter what kernel they use? > > chroots bind by default is OpenBSD. it wasn't until very recently > > It's not about the problem of having chroot by default. Having a script > that is invoked upon user interaction that generates the chroot would in > my opinion be also an acceptable solution. We just shouldn't have a > solution for chrooting bind that depends on kernel 2.4.x features. I think respecting debian policy is more important then supporting 2.2 kernels for chrooted bind. the only real options for 2.2 are: 1: rsync /etc/bind to $chroot/etc/bind in the initscript on start. 2: violate policy and move the config files out of /etc option 1 sucks since you have to fully restart bind to make changes to your configs instead of merly sending a SIGHUP (or is that even needed?) option 2 is unnacceptable IMO, and really in fact by current policy, and throwing away policy would be foolish since thats what makes debian such high quality distribution. comparing this to postfix isn't very useful either, in postfix the config files do NOT live in the chroot, the only things put in chroot is a couple libs that are required and things like /etc/hosts and /etc/localtime. bind mounts are not an option for postfix without severly reducing the security of the chroot (you would have to mount all of /etc and all of /lib to make it effective, and at that point why bother). -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpC_zuDGN4zl.pgp
Description: PGP signature