On 27 April 2016 at 03:07, Tony Finch <d...@dotat.at> wrote: > Matthew Pounsett <m...@conundrum.com> wrote: > > > > Privsep doesn't actually fix the same problem chroot does. As I > > understand it, privsep reduces the attack surface for remote execution > > exploits by shuffling off privileged operations to a separate process, > but > > if that process isn't chrooted and it has a remote code execution flaw > then > > your entire system is opened up to attack. > > Actually it is normal for privsep processes to chroot themselves, usually > to /var/empty - e.g. >
Right, so "no chroot necessary" (which is what I was responding to) isn't accurate.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users