bind chrooted, logging and SELinux = suffering
Kevin Darcy
kcd at daimlerchrysler.com
Tue Jun 7 23:30:40 UTC 2005
Jason Vas Dias wrote:
>On Thu, 2005-06-02 at 07:25, Pete Ehlke wrote:
>
>
>>In other words, you have not identified any "known security
>>vulnerabilities' in current BIND. As a matter of policy, running
>>networked services inside a chroot, a jail, or a zone is a prudent
>>thing. But please stop using alarmist phrases like "Red Hat ships BIND
>>with maximum security protection enabled,to counter known security
>>vulnerabilities." There are no known security vulnerabilities in modern
>>BINDs.
>>
>>
>>
>So why is it a "prudent thing" to run BIND in a chroot jail, if there
>are no security reasons for it ?
>
Um, isn't that obvious? Because of the *UNKNOWN* security
vulnerabilities that may potentially be discovered in the future.
- Kevin
More information about the bind-users
mailing list