chroot-ed bind 9 (was: Users Want *Seamless* Solutions, Not Patchwork)

Simon Waters Simon at wretched.demon.co.uk
Fri Jul 27 00:09:10 UTC 2001


Bill Larson wrote:
> 
> A chroot jail provides you one, and only one, thing.  If someone were to
> connect to the application, and then break out of the application, they
> would have the exact same privileges to modify files in the jail as the
> user that the application was running under.  Note that this implies
> that named shouldn't be run as root without risking that an attacker can
> obtain root access.

Thanks, I understood the basics of chroot (I think), I was
being slightly cynical.

I guess since 9 makes it's so much easier to use chroot (My
example used the -u username, as this is required to avoid
the easy breaks quoted), I should revise my standard
configurations to use it. BIND 8 chroot was complex, and
complexity itself can lead to security issues.

My cynicism is because for many people losing control of the
DNS is the worst things that can happen to the DNS server.

> This is an extremely useful thread that has developed from an originally
> undesired thread.  To second a previous reply to the original thread, I
> would wish that the posters on the original thread would move their
> bickering to some other forum.

I think comparisons with other DNS servers are useful, and
the participants have much to offer to the group. Although I
think some of the product feature bickering could be
resolved if contributors installed the products they are
less familiar with, they are after all both free and open
source.

-- 
Are you using the Internet to best effect ?
www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at
news:uk.business.telework


More information about the bind-users mailing list