tech-security: re: proposals for running named in a non-root chroot cage

Subject: re: proposals for running named in a non-root chroot cage
To: Luke Mewburn <lukem@wasabisystems.com>
From: matthew green <mrg@eterna.com.au>
List: tech-security
Date: 03/12/2001 00:00:08

   
   	- Startup script for named needs to ensure
   		/var/run/named.pid symlink to /var/named//var/run/named.pid
   		/var/run/ndc symlink to /var/named//var/run/ndc


actually, i believe that named itself should create these symlinks
prior to chroot(8) being called.  our named used to do this but an
upgrade sometime in the past year or two has lost this local feature.


the part about your `2' that i really don't like is how named_chrootdir
suddenly becomes extra magic....  `1', while being slightly more
annoying, is seemingly a more consistent choice.  but i'm not 100%
sold to either....


(BTW, note that syslogd also takes a `-P /file/of/sockets' option that
can specify multiple listening sockets for syslogd.  i typically use
/etc/syslogd.sockets.... but i am making no value judgement on using
either -p or -P.)



.mrg.