[Pdns-users] logging while chroot

Martin Kuchar lists at nss.wproduction.cz
Wed May 26 10:59:14 UTC 2004

>  > Yes, pdns_server  itself is not chrooted, but pdns_server-instances
>  > yes. I'm worry about security here. It looks like "half 
> way solution".
>  > If the chrooted process can talk to not chrooted, where 
> the isolation
>  > is ?!
> Here comes kernel level security in play; I suggest a kernel 
> patch like 
> grsecurity which enforces chdir after chroot and also 
> protectes outside 
> processes.

Grsecurity is another question. Yes, if i will use it, i will not worry
about this.

> Normally it works as follows:
> - starting as root to bind ports < 1024
> - dropping root privileges to e. g. user pdns after startup 
> is complete
> Remember that the processes within the chroot should NEVER 
> run as root.

OK, but if chrooted process is able to communicate to his parent which is
not chrooted, there can be security hole..


More information about the Pdns-users mailing list