F11 bind-chroot - a question?
Todd Zullinger
tmz at pobox.com
Sun Jun 14 13:52:20 UTC 2009
Tom Horsley wrote:
> Why not just *always* run bind chroot?
I'm guessing it's because, in general, Fedora is moving away from
chroot and toward SELinux to provide extra security for these sorts of
services?
> Have the files live in /var/named, then updates just update the one
> and only copy in /var/named? If someone somewhere really and truly
> doesn't want to run chroot, provide a --prefix option in named so he
> can tell it the config files are relative to /var/named instead of
> relative to /, but in any case the config files always live in one
> and only one place.
That sounds like it would entail a similar amount of extra work and
chances for introducing bugs that the bind-chroot-admin script had.
If the bind daemon really is only trusted by admins when it is in a
chroot, it might be a good reason to look at alternative DNS server
software. :)
I don't personally have much interest in this, but if other folks do,
I'm sure suggestions in patch form would be taken more seriously by
the bind maintainers (preferably upstream).
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I expected times like this -- but never thought they'd be so bad, so
long, and so frequent.
-- Demotivators (www.despair.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090614/9921df36/attachment-0001.sig>
More information about the fedora-list
mailing list