[csw-maintainers] How about this BIND bug?

Philip Brown phil at bolthole.com
Mon Mar 9 21:55:09 CET 2009


On Mon, Mar 09, 2009 at 09:27:45PM +0100, Peter Bonivart wrote:
> I just got a bug report from someone trying to run BIND in chroot.
> 
> http://www.opencsw.org/mantis/view.php?id=3460
> 
> Is this something we're supposed to support? I'm updating the package
> quickly to keep up with safety concerns and it already runs as an
> unprivileged user as it is. Doesn't this bug go beyond what the
> package is supposed to deliver?
> 
> I would be willing to include documentation though on how to run it chroot'ed.

seems like someone was nice enough to step up and help on this, so thats
great :)

I thought I'd write some thoughts in the interests of addressing the
"general principle", of it though...

Our primary goal is to make our software [straighforward and easy to use]
for our users.

Running BIND in a chroot jail is common practice for that piece of
software. Some security-concious people would argue that it is
the ONLY "safe" way to run it.
 [i wouldnt agree, but that's not the point :-)]

Because of this, I think that in this specific case, it would be very
appropriate for us to try to make that a one-step option.

And, happily, sounds like we are going to. So i look forward to seeing
the bind_chroot package ;-)
I'm not entirely sure that it's really neccessary to have a separate
package for it.... but if it helps split up the labour required for us to
support it, I'm ok with it.




More information about the maintainers mailing list