[bind10-dev] should the socket creator use chdir?

Michal 'vorner' Vaner michal.vaner at nic.cz
Mon Dec 5 21:13:37 UTC 2011


Hello

On Mon, Dec 05, 2011 at 10:31:22AM -0800, JINMEI Tatuya / 神明達哉 wrote:
> The socket creator process will be the only one that needs to keep the
> root privilege.  I wonder whether we should at least allow it to run
> under a 'chroot' environment for best possible security (I know it's
> not even expected to directly communicate with other BIND 10 processes
> than the boss process, let alone arbitrary remote client nodes, but
> when it comes to security paranoia is often better than optimism).
> Since it's intended to be a simple stand-alone program that could even
> be statically linked, it should be easy to realize that.

I think it is worth it. Actually, if it did the chdir call itself, it wouldn't
need to be statically linked. It would start up, including all the needed
libraries, then make a temporary directory somewhere, chroot there and possibly
delete the directory.

However, it's more a publicity thing than security thing. A root user is able to
leave chrooted environment, at last in linux. The kernel developers refuse to
„fix“ it, as they say it is a feature, not a bug and that chroot is not security
related anyway.

Anyway, I'd like to make it work first. Then we can add few more security
things, like the chroot or possibility to drop root privileges and preserve only
the one for binding sockets (if it's possible). But I'd still fear we should do
most of the security checks and worrying on processes that communicate over the
network, like auth or resolver.

With regards

-- 
If it works, fix it.

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20111205/a51e3d33/attachment.bin>


More information about the bind10-dev mailing list