[Pdns-users] logging while chroot

Markus Welsch markus.welsch at suk.de
Wed May 26 08:49:02 UTC 2004


 > Yes, pdns_server  itself is not chrooted, but pdns_server-instances
 > yes. I'm worry about security here. It looks like "half way solution".
 > If the chrooted process can talk to not chrooted, where the isolation
 > is ?!

Here comes kernel level security in play; I suggest a kernel patch like 
grsecurity which enforces chdir after chroot and also protectes outside 

Normally it works as follows:
- starting as root to bind ports < 1024
- dropping root privileges to e. g. user pdns after startup is complete

Remember that the processes within the chroot should NEVER run as root.



More information about the Pdns-users mailing list