[Pdns-users] logging while chroot
Markus Welsch
markus.welsch at suk.de
Wed May 26 08:49:02 UTC 2004
Hi,
> Yes, pdns_server itself is not chrooted, but pdns_server-instances
> yes. I'm worry about security here. It looks like "half way solution".
> If the chrooted process can talk to not chrooted, where the isolation
> is ?!
Here comes kernel level security in play; I suggest a kernel patch like
grsecurity which enforces chdir after chroot and also protectes outside
processes.
Normally it works as follows:
- starting as root to bind ports < 1024
- dropping root privileges to e. g. user pdns after startup is complete
Remember that the processes within the chroot should NEVER run as root.
Cheers,
Markus
More information about the Pdns-users
mailing list