Tom <[email protected]> wrote: > > What's the reason, that it isn't necessary to run modern version of bind in a > jail?
chroot is a defence against privilege escalation following a remote code execution vulnerability. It isn't a very solid defence. And BIND 9 tends to die of a self-check failure before remote code execution occurs, judging by the last few years of vulnerability notices. Also, on Linux, named drops most capabilities. Stricter partitions (VMs or containers) which you can easily nuke and rebuild from scratch mean there's much less need for chroot. I still chroot my servers :-) Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode Sole, Lundy, Fastnet: Easterly or northeasterly 5 to 7, becoming variable 3 or 4 later. Rough or very rough, becoming slight or moderate later. Rain or showers. Moderate or good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
