Chrooting named by default (was: Re: chrooting apache[ssl,php,perl] and some mta)
OoO En cette nuit striée d'éclairs du samedi 09 novembre 2002, vers
02:02, Michael Ablassmeier <firstname.lastname@example.org> disait:
> i did some apache chroot environment (php,perl,ssl), and now
> some users want to use the php "mail" command, so i have to
> include some mta into the chroot.
> As far as i know, Sendmail is not a good candiate to chroot.
This is not related, but I wonder what are the reasons that named is
not chrooted by default ? The README.Debian says there are some
reasons but does not say what they are. Chrooting named can be done
easily with the appropriate howto, but it would be nice if it was done
Debian OpenBSD has been discontinued because the main author thought
that Debian GNU/Linux is equally secure. However, OpenBSD chroots
named and now apache by default. There are some additional measures
and also the code audit which make a serious advantage for OpenBSD. It
would be great if Debian moved towards more active security.
Follow each decision as closely as possible with its associated action.
- The Elements of Programming Style (Kernighan & Plaugher)