chrooting bind is probably worthwhile because * bind has an abysmal record * gaining access to the system with uid/gid==bind may well allow an intruder to gain elevated privileges by exploiting a locally-accessible vulnerability, which would otherwise not be exposed
yes, it's a pain, but it should be an option at least until a more secure dns makes its way into the distribution. regards, thomas On Mon, 5 Jun 2000, Carlos Carvalho wrote: > I wonder if running bind (not as root, of course) in a chroot jail is > really worth the hassle. If you give it a correct uid/gid it'll only > have access to public read-only files after all. If it were just a > config option it'd be fine, but there's the mess with libs et. al. > that does need some determination to overcome...
