Greg A. Woods wrote:
> [ On Tuesday, September 9, 2003 at 12:06:24 (-0400), Dan Melomedman wrote: ]
> > Subject: Re: BSD Authentication
> >
> > As far as services are concerned, the right thing to do
> > is to drop root, and chroot to a jail as soon as it's not needed. Too bad
> > this methodology isn't used often. Sendmail and BIND traditionally
> > didn't have this feature.  I believe the new BIND finally has this
> > feature, and the risk for the root exploit is lower with the new BIND.
> 
> Yes, BIND "finally" gained this feature quite some time ago.  (sadly a
> great many sites are still running BIND as root all the time)
> 
> Unfortunately it doesn't do something like Sendmail one bit of good in
> many modern systems, at least not with the default configs and installs,
> since any foreign code exploit can just make use of the saved

Sendmail is so horrible, the modern systems should just simply ship with
something else instead, Postfix is a good alternative, and so is Courier.