[Pdns-users] logging while chroot

Martin Kuchar lists at nss.wproduction.cz
Wed May 26 10:59:14 UTC 2004


>  > Yes, pdns_server  itself is not chrooted, but pdns_server-instances
>  > yes. I'm worry about security here. It looks like "half 
> way solution".
>  > If the chrooted process can talk to not chrooted, where 
> the isolation
>  > is ?!
> 
> Here comes kernel level security in play; I suggest a kernel 
> patch like 
> grsecurity which enforces chdir after chroot and also 
> protectes outside 
> processes.

Grsecurity is another question. Yes, if i will use it, i will not worry
about this.

> Normally it works as follows:
> - starting as root to bind ports < 1024
> - dropping root privileges to e. g. user pdns after startup 
> is complete
> 
> Remember that the processes within the chroot should NEVER 
> run as root.

OK, but if chrooted process is able to communicate to his parent which is
not chrooted, there can be security hole..

regards,
Martin




More information about the Pdns-users mailing list