[Opendnssec-develop] dropping privs
Jakob Schlyter
jakob at kirei.se
Thu Aug 13 15:49:54 UTC 2009
On 13 aug 2009, at 17.42, John Dickinson wrote:
> Is this just for a network exposed XFR capable signer or all server
> processes?
for both the enforcer daemons and the signer engine.
> In other words are we worried about local exploits as well? I did
> think of removing the priv dropping from the enforcer daemon code I
> nicked from NSD since for most stuff there is no need to ever run as
> root in the first place.
right, I'm not sure we should keep chroot for the release - perhaps
drop privs is enough for now? if so, we should probably just drop
privs, then write pid and sockets and whatnot.
jakob
More information about the Opendnssec-develop
mailing list