[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NMU'ing for wishlist bugs? (aka: intent to NMU bind9)



begin  Russell Coker quote on Tue, Sep 10, 2002 at 11:01:43PM +0200:
> > As long as you're running it as non-root, do you make it chroot() also?
> 
> Chroot is much more difficult to manage.  Non-root is a no-cost option.

Chroot with bind9 is significantly easier than other apps... it's more
like the PrivSep sshd.  (I'm referring to the -t option to named).

But you're absolutely correct: non-root is a minimal cost option, chroot
is slightly more so.  Really, the most troublesome part of setting it up
automatically is that you have to tell syslog to put a socket in the
chroot's etc.  See http://cryptio.net/~ferlatte/config for a step by
step example.

> > bind8 could also run as non-root, but the maintainer's viewpoint was
> > that it would confuse people who had interfaces that were transient.
> > User-friendyness wins over security yet again.
> 
> It would not confuse anyone.  Have it run with authbind and it will do 
> everything as non-root that it could do as root.

Neat.  Haven't heard of authbind before.

M

Attachment: pgp9PCGMzEgmz.pgp
Description: PGP signature


Reply to: