BIND9 does not even need CAP_SYS_RESOURCE. It is running in a vserver here (1.2x) without problems with S_CAP="" in the config file.
Why grant it things it does not need?
Standard bind9 on debian does not even start without CAP_SYS_RESOURCE. That's why there are packages from Paul Sladen.
Yes, I know that it can extend it's process limits in vs1.26, but it's still better than running bind9 in the root server.
I'm using the standard bind9, because of the convenience security.debian.org is providing.
-- lg, Chris
_______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
