End of bind-chroot-admin script
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Mon Nov 10 12:47:02 UTC 2008
Alan Cox <alan at redhat.com> writes:
> Its also inadequate for some forms of attack. If I can persuade your
> named to run code of my choice in a chroot without selinux then I can
> still use your box as a spam machine, botnet host, DoS attack tool,
> proxy, etc .. all without breaking the chroot.
Can be prevented with traditional tools too:
iptables -A OUTPUT -m owner --uid-owner named -j o-NAMED
Enrico
More information about the fedora-devel-list
mailing list