[Linux-disciples] chrooting bind9
Adam Rosi-Kessel
adam at rosi-kessel.org
Mon Oct 24 17:09:25 EDT 2005
Stephen R Laniel wrote:
> My boss recommends that I run BIND9 chrooted. Cool, sure,
> I'll do that, but I'm curious: why should BIND9 run chrooted
> when, say, people don't seem to suggest that Apache run
> chrooted? At least, people don't suggest it as often as they
> suggest it for BIND. /etc/init.d/bind9 even contains
> # for a chrooted server: "-u bind -t /var/lib/named"
> # Don't modify this line, change or create /etc/default/bind9.
> OPTIONS=""
> so it seems to be accepted wisdom to run chrooted. What's
> the logic?
I have no idea, but I can make up an answer. People do actually recommend
running Apache chrooted--it's much more secure that way, and I've seen a lot
of ISPs do just that.
But it can be kind of tricky to run Apache chroot, given that it needs
access to people's home directories, lots of libraries and modules, etc..
So my guess is that BIND and its ilk is very easy to run chrooted because
it's much more self-contained than Apache, so it is an easy recommendation
to follow, and thus more standard.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.bostoncoop.net/pipermail/linux-disciples/attachments/20051024/5154b6bc/signature.pgp
More information about the Linux-disciples
mailing list