[ i do read the list so i don't need a CC ] On Mon, Apr 23, 2001 at 03:12:59PM +1200, Nicholas Lee wrote: > On Sun, Apr 22, 2001 at 04:54:42PM -0800, Ethan Benson wrote: > > > > fine, no disagreement here, what im pointing out is that with at least > > bind 8 (someone mentioned bind 9 works differently) its not open to > > debate, you either have bind binaries in the chroot jail or bind > > doesn't work. > > No, only named-xfer.
thats my point, named-xfer IS a bind binary, and it must live in the chroot jail or bind8 breaks. > With ndc you just go say: /usr/sbin/ncd -c /var/named/var/run/ndc i have never said ncd needed to be there. the only binaries i ever put into a chroot is named and named-xfer, apparently named is not actually necessary. > > so long as your chroot jail isn't setup wrong (ie chown -R > > named.named) i don't really see any risk here. > > Maybe, but if there is no need for binaries to be in the chroot, why put > them there. if you have to you have to (named-xfer). > True, but its not the default and the local syslog might not even be > listening. yes it is the default. bind logs to /dev/log. the fact that you chroot and the /dev/log its logging to is now /var/named/dev/log is not relevant to bind. > > SYSLOGD="-a /var/named/dev/log" > > Yeah, but is secure-bind (or bind-chroot) allowed to reach and change > this variable? Plus can it be sure that sysklogd doesn't reach out and > change it? /etc/init.d/sysklogd is a conffile, sysklogd cannot change it without the admin's permission. as for how this package changes it i don't know, there is no policy compliant way to do it other then a message to the admin saying if they want bind to log they have to fix the initscript themselves. -- Ethan Benson http://www.alaska.net/~erbenson/
pgpAU68R56mdE.pgp
Description: PGP signature
