[Opendnssec-develop] dropping privs
John Dickinson
jad at jadickinson.co.uk
Thu Aug 13 15:42:26 UTC 2009
Is this just for a network exposed XFR capable signer or all server
processes? In other words are we worried about local exploits as well?
I did think of removing the priv dropping from the enforcer daemon
code I nicked from NSD since for most stuff there is no need to ever
run as root in the first place.
John
On 13 Aug 2009, at 14:38, Jakob Schlyter wrote:
> until we have better support for dropping privs (as we would be
> using privsep), Jelte & I just agreed to:
>
> 1. write pid
> 2. chroot
> 3. drop privs
> 4. create any sockets
>
> we can always try to unlink the pid-file upon exit(), but in case
> we're chrooted that will fail.
>
> jakob
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
More information about the Opendnssec-develop
mailing list