Christos Zoulas wrote:
> named seems to be needing random and null... It is reasonable to run
> with nodev, but it buys you little... I mean they processes run as non
> root in a chroot you have created that only has the device nodes they
> need. It would be hard for them to create more.
I didn't set nodev specifically for /var/chroot, my /var is mounted with
nodev,noexec. It worked for me with no problem until I tried to chroot
ntpd. It didn't fail to start but it clearly didn't work. It's even
more subtle for named. If it tries to open /dev/{random,urandom}
chroot but fails to report a failure, it can be a potentially
serious problem.
It'd be nice if those daemons (or their rc.d scripts) reported nodev
failures clearly and loudly.
--
Alex
