named and chroot? Was running it for 4 years in a jail. Regards Peter On Fri, Sep 11, 2015 at 10:36 AM, Trent W. Buck <trentbuck@gmail.com> wrote:
Russell Coker writes:
On Thu, 10 Sep 2015 11:52:31 AM Trent W. Buck wrote:
chroot isn't a security mechanism.
I believe that there is no benefit in allowing a chroot when using SE Linux. If a daemon is to chroot then it needs to be granted the chroot capability [...]
Not strictly true.
systemd.exec(5) can chroot before spawning the daemon, the same way it can seteuid before spawning the daemon.
Whether this would ACTUALLY be sufficient is... debatable. :-)
For named or nsd, I think it would actually make more sense to use the Private*= and *Directories= options to set up a new VFS namespace.
IOW rather than named seeing /var/named/chroot as its root, it would see the regular / but with most subdirs hidden.
Binding to the low port would be solved either using socket activation (requires patched daemon) or by setpcap CAP_NET_BIND_SERVICE.
I'm not sure whether its worth while to do *both* selinux and that kind of security ricing. Probably not.
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main