Subject: Re: chrooted bind
To: Thilo Manske <Thilo.Manske@HEH.Uni-Oldenburg.DE>
From: gabriel rosenkoetter <firstname.lastname@example.org>
Date: 01/30/2001 10:22:08
On Tue, Jan 30, 2001 at 03:27:39PM +0100, Thilo Manske wrote:
> BTW: It's not difficult to let bind run as an other user either
> (options -g & -u), I use this for >2 years now. I wonder why this is not
> used more often...
People are silly and don't read documentation.
Really, though, this doesn't buy you much without the chroot.
(You're still letting a fairly priveleged user onto your system.)
I'm in the act of upgrading by DNS box to BIND 9.1.0 right now,
building out of pkgsrc initially, then rebuilding the pieces that
need to be in the chroot by hand. I'd love to not have to do it this
way, and I'd be glad to contribute to making the pkgsrc Makefile and
patches do this by default.
Btw, the ISC claims they could only get 9.1.0 compiled on NetBSD by
way of unproven-pthreads 0.17... but we don't seem to need them (which
is good for me, considering the pkgsrc version doesn't recognize
powerpc-unknown-netbsd)... what'd we do differently? Converted to
cooperative threads? Ignored the problem?
~ g r @ eclipsed.net