[Opendnssec-develop] dropping privs

Jakob Schlyter jakob at kirei.se
Thu Aug 13 15:49:54 UTC 2009

On 13 aug 2009, at 17.42, John Dickinson wrote:

> Is this just for a  network exposed XFR capable signer or all server  
> processes?

for both the enforcer daemons and the signer engine.

> In other words are we worried about local exploits as well? I did  
> think of removing the priv dropping from the enforcer daemon code I  
> nicked from NSD since for most stuff there is no need to ever run as  
> root in the first place.

right, I'm not sure we should keep chroot for the release - perhaps  
drop privs is enough for now? if so, we should probably just drop  
privs, then write pid and sockets and whatnot.


More information about the Opendnssec-develop mailing list