On Dec 19, Henrik Ahlgren <pa...@seestieto.com> wrote: > Take bind9 named(8) for example – it can chroot (with -t) but AFAIK > Debian does not use it by default, and I think using the various Because it makes managing it much harder, since /etc/bind/ then moves to /var/. Systemd directives like ProtectSystem, ReadOnlyPaths, etc... are much easier to use than a blunt chroot.
> systemd sandboxing would be much more friendly approach. (The security > track record of BIND is sadly not the greatest.) This is a urban legend: actually you are thinking of BIND 8. BIND 9 is a totally different code base and it reliably kills itself when something goes wrong. -- ciao, Marco
signature.asc
Description: PGP signature
