On 27 April 2016 at 03:07, Tony Finch <[email protected]> wrote: > Matthew Pounsett <[email protected]> wrote: > > > > Privsep doesn't actually fix the same problem chroot does. As I > > understand it, privsep reduces the attack surface for remote execution > > exploits by shuffling off privileged operations to a separate process, > but > > if that process isn't chrooted and it has a remote code execution flaw > then > > your entire system is opened up to attack. > > Actually it is normal for privsep processes to chroot themselves, usually > to /var/empty - e.g. >
Right, so "no chroot necessary" (which is what I was responding to) isn't accurate.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
