[csw-maintainers] How about this BIND bug?

[Ben Walton]

Excerpts from Peter Bonivart's message of Mon Mar 09 16:27:45 -0400 2009:
> I just got a bug report from someone trying to run BIND in chroot.
> 
> http://www.opencsw.org/mantis/view.php?id=3460
> 
> Is this something we're supposed to support? I'm updating the
> package

That I can't answer...

> quickly to keep up with safety concerns and it already runs as an
> unprivileged user as it is. Doesn't this bug go beyond what the
> package is supposed to deliver?

Redhat supplies a bind-chroot package that I take advantage of.  It
provides only the following (would need a few tweaks for solaris):

/var/named/chroot
/var/named/chroot/dev
/var/named/chroot/dev/null
/var/named/chroot/dev/random
/var/named/chroot/dev/zero
/var/named/chroot/etc
/var/named/chroot/etc/localtime
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/rndc.key
/var/named/chroot/var
/var/named/chroot/var/named
/var/named/chroot/var/named/data
/var/named/chroot/var/named/slaves
/var/named/chroot/var/run
/var/named/chroot/var/run/named
/var/named/chroot/var/tmp

and then some scripts to set it up.  The init script is aware of the
possibility that this package might be installed and does a few things
it wouldn't normally do.  I can get you the scripts from redhat if
you're interested in seeing how they do it.

Not saying you should do this, but based on how it's being done
elsewhere, it may not be as 'insane' as it sounds up front.

HTH
-Ben
-- 
Ben Walton
Systems Programmer - CHASS
University of Toronto
C:416.407.5610 | W:416.978.4302

GPG Key Id: 8E89F6D2; Key Server: pgp.mit.edu
Contact me to arrange for a CAcert assurance meeting.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.opencsw.org/pipermail/maintainers/attachments/20090309/614ada83/attachment-0001.asc>