[Dnssec-trigger] unbound in chroot

Simo Sorce ssorce at redhat.com
Fri Jun 27 13:03:12 UTC 2014

On Fri, 2014-06-27 at 16:36 +0800, P J P wrote:
>    Hi,
> > On Friday, 27 June 2014 1:04 PM, Petr Spacek wrote:
> > Is it worth? Chroot on Linux is notoriously broken/leaky. I'm not entirely 
> > sure that it adds more than false sense of security...
> Broken/leaky, how so?

chroots are not security measures.
It is easy to escape a chroot, so we need to carefully asses if the
additional burden it imposes is worth it.

If the main reason to use a chroot is to make unbound "more secure",
well I would drop it, it's not really worth it.

If you want to make unbound more secure then we should use a container
(which is also not completely secure, but it is much harder to attack if
namespaces and selinux are used correctly), but I think this is
excessive for most setups too.


More information about the dnssec-trigger mailing list