begin Russell Coker quote on Tue, Sep 10, 2002 at 11:01:43PM +0200: > > As long as you're running it as non-root, do you make it chroot() also? > > Chroot is much more difficult to manage. Non-root is a no-cost option. Chroot with bind9 is significantly easier than other apps... it's more like the PrivSep sshd. (I'm referring to the -t option to named). But you're absolutely correct: non-root is a minimal cost option, chroot is slightly more so. Really, the most troublesome part of setting it up automatically is that you have to tell syslog to put a socket in the chroot's etc. See http://cryptio.net/~ferlatte/config for a step by step example. > > bind8 could also run as non-root, but the maintainer's viewpoint was > > that it would confuse people who had interfaces that were transient. > > User-friendyness wins over security yet again. > > It would not confuse anyone. Have it run with authbind and it will do > everything as non-root that it could do as root. Neat. Haven't heard of authbind before. M
Attachment:
pgppbX7VKvgKy.pgp
Description: PGP signature