Date: Mon, 11 Jul 2011 17:43:54 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Ilya Bakulin <webmaster@kibab.com> Cc: freebsd-hackers@freebsd.org Subject: Re: Capsicum project: Ideas needed Message-ID: <4E1B98CA.7000806@FreeBSD.org> In-Reply-To: <f4fefa42cac889f8e8726cededf32c14.squirrel@zugang.kibab.com> References: <4E167C94.70300@kibab.com> <iv6ss5$1h5$1@dough.gmane.org> <4E186B89.8080003@FreeBSD.org> <4E18D88B.4060805@FreeBSD.org> <f4fefa42cac889f8e8726cededf32c14.squirrel@zugang.kibab.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/11/2011 05:08, Ilya Bakulin wrote: > chroot constraints only filesystem namespace, but doesn't prevent process > from sending/receiving data via network, ... which is kind of important for DNS software. :) > or from accessing other global > namespaces such as PID namespace, SHM namespace, and from executing any > system calls. Fair enough, although I'd love to see an actual threat analysis before I concluded that BIND should be close to the top of the list. Thanks for the response, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E1B98CA.7000806>