tech-security: Re: proposals for running named in a non-root chroot cage

Subject: Re: proposals for running named in a non-root chroot cage
To: None <tech-security@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-security
Date: 03/11/2001 02:21:15

>>>>> "Andrew" == Andrew Brown <atatat@atatdot.net> writes:
    >> - change the build system to populate /var/named/ by default
    >> (with named-xfer, the example etc/namedb, ...)

    Andrew> ...named-xfer would be installed in /var/named/usr/libexec/named-xfer
    Andrew> and a symlink would be put at /usr/libexec/named-xfer?

  No, please put a copy, and have "ndc" or something update it if it disappears.
  Having the only copy in the chroot jail defeats part of the point of the jail. 
  
    >> - alternatively, consider a manual migration tool/process.

    Andrew> might not be so bad.

  Yes, please.

] Train travel features AC outlets with no take-off restrictions|gigabit is no[
]   Michael Richardson, Solidum Systems   Oh where, oh where has|problem  with[
]     mcr@solidum.com   www.solidum.com   the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [