Subject: mknod in a chroot jail
To: None <tech-security@NetBSD.org>
From: Edgar =?iso-8859-1?B?RnXf?= <firstname.lastname@example.org>
Date: 07/17/2005 11:50:42
As I started the thread about mknod in a chroot environment,
I'll have to make some comments on the discussion my query started:
It was suggested that I had turned off standard security mechanisms
and was surprised by the impacts this had.
No I'm not. I'm running securelevel 1 on all but two NetBSD machines
(0 on a netbooted sort-of-X-terminal, 2 on a paranoid syslog server).
It was suggested to mount all filesystems either ro or nodev.
I'm not aware of anything keeping me from mounting a memory file system
non-nodev at a mount point of my discretion.
It was suggested not to run any root processes chroot-ed.
What, then, is the preferred way of running named (or, mor generally,
providing name service) or ntpd?