[Dnssec-trigger] unbound in chroot
Simo Sorce
ssorce at redhat.com
Fri Jun 27 13:03:12 UTC 2014
On Fri, 2014-06-27 at 16:36 +0800, P J P wrote:
> Hi,
>
> > On Friday, 27 June 2014 1:04 PM, Petr Spacek wrote:
> > Is it worth? Chroot on Linux is notoriously broken/leaky. I'm not entirely
> > sure that it adds more than false sense of security...
>
> Broken/leaky, how so?
chroots are not security measures.
It is easy to escape a chroot, so we need to carefully asses if the
additional burden it imposes is worth it.
If the main reason to use a chroot is to make unbound "more secure",
well I would drop it, it's not really worth it.
If you want to make unbound more secure then we should use a container
(which is also not completely secure, but it is much harder to attack if
namespaces and selinux are used correctly), but I think this is
excessive for most setups too.
Simo.
More information about the dnssec-trigger
mailing list