The biggest problem that you *may* encounter depending upon your
configuration is going to be log/status/debug files. Of course, if you
ever decide to be a slave for anything, your problems will be more
complex.
- Marc
On Sun, 23 Apr 2000, Derek Martin wrote:
> Today, Marc Evans gleaned this insight:
>
> > People should really consider running daemons like named in a chroot'ed
> > environemnt (see http://www.psionic.com/papers/dns/ for example). You
> > should also consult the INSTALL file in the source distribution, which
> > discusses the -u, -g and -t options:
> >
> > User and Group ID
> >
> > Specifying "-u" followed by a username or numeric user id on the
> > "named" command line will cause the server to give up all
> > privileges and become that user after the initial load of the
> > configuation file is complete. "-g" may be used similarly to set
> > the group id. If "-u" is specified but "-g" is not, the group
> > used will be the given user's primary group.
> >
> > Chroot
> >
> > "-t" followed by a directory path on the "named" command line will
> > cause the server to chroot() to that directory before it starts
> > loading the configuration file.
> >
>
> Cool. I didn't know you could do this. I new this was possible in theory
> but I didn't know the code was already in there. I've got named running as
> user named now, and named has no ownership of any files on the system.
> Does anyone know of any potential implications of this (i.e. named not
> being able to write to files it needs to write to)?
>
> This is a master server only, so I am not requesting any zone transfers.
> Therefore I don't need to worry about being able to write to slave zone
> files. But are there others that it may need to write to (i.e. to which
> it does not already have access prior to changing user)?
>
> Preliminary testing suggests that this is working fine.
>
> Thanks for the tip Marc.
>
>
> --
> PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
> ------------------------------------------------------
> Derek D. Martin | Unix/Linux Geek
> [EMAIL PROTECTED] | [EMAIL PROTECTED]
> ------------------------------------------------------
>
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
