[Opendnssec-develop] dropping privs

John Dickinson jad at jadickinson.co.uk
Thu Aug 13 15:42:26 UTC 2009


Is this just for a  network exposed XFR capable signer or all server  
processes? In other words are we worried about local exploits as well?  
I did think of removing the priv dropping from the enforcer daemon  
code I nicked from NSD since for most stuff there is no need to ever  
run as root in the first place.

John

On 13 Aug 2009, at 14:38, Jakob Schlyter wrote:

> until we have better support for dropping privs (as we would be  
> using privsep), Jelte & I just agreed to:
>
> 1. write pid
> 2. chroot
> 3. drop privs
> 4. create any sockets
>
> we can always try to unlink the pid-file upon exit(), but in case  
> we're chrooted that will fail.
>
> 	jakob
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop




More information about the Opendnssec-develop mailing list