Ari Edelkind's "paranoia patch" and v4.*

David W. Hankins David_Hankins at
Thu Feb 14 19:15:16 UTC 2008

On Wed, Feb 13, 2008 at 12:40:01PM +0000, Niall O'Reilly wrote:
> Indeed, given how long this patch has been around (v2.x, IIRC),
> I also wonder whether there are plans at ISC to add equivalent
> official command-line options?  BIND's named has for a long time
> allowed a chroot directory and running UID to be specified on the
> command line.

i'd _really_ like to pull it up.  we kind of floundered with trying to
address ari's and two other linux-sourced patches (that made
additional use of service limitations).  so ari's (if i'm remembering
right) seemed incomplete by comparison, but the linux-distro sourced
patches were overcomplete; they broke some features.  ddns updates
couldn't open a socket was the first one i noticed, i thought there
were others.

in trying to find the perfect compromise between two points, we failed
to progress.  we should probably just pull up ari's patch and find the
complete solution in time.

if someone were willing to port a simple chrooter/setuider to 4.1,
and was willing to work through review with us, we can try to get it

Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil?
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

More information about the dhcp-users mailing list