[Pdns-users] logging while chroot
lists at nss.wproduction.cz
Wed May 26 10:59:14 UTC 2004
> > Yes, pdns_server itself is not chrooted, but pdns_server-instances
> > yes. I'm worry about security here. It looks like "half
> way solution".
> > If the chrooted process can talk to not chrooted, where
> the isolation
> > is ?!
> Here comes kernel level security in play; I suggest a kernel
> patch like
> grsecurity which enforces chdir after chroot and also
> protectes outside
Grsecurity is another question. Yes, if i will use it, i will not worry
> Normally it works as follows:
> - starting as root to bind ports < 1024
> - dropping root privileges to e. g. user pdns after startup
> is complete
> Remember that the processes within the chroot should NEVER
> run as root.
OK, but if chrooted process is able to communicate to his parent which is
not chrooted, there can be security hole..
More information about the Pdns-users