From owner-freebsd-hackers@FreeBSD.ORG  Tue Jul 12 00:44:15 2011
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35])
	by hub.freebsd.org (Postfix) with ESMTP id 88D111065670
	for <freebsd-hackers@freebsd.org>; Tue, 12 Jul 2011 00:44:15 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from 65-241-43-4.globalsuite.net (hub.freebsd.org
	[IPv6:2001:4f8:fff6::36])
	by mx2.freebsd.org (Postfix) with ESMTP id 1C5C6157AF5;
	Tue, 12 Jul 2011 00:43:55 +0000 (UTC)
Message-ID: <4E1B98CA.7000806@FreeBSD.org>
Date: Mon, 11 Jul 2011 17:43:54 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://SupersetSolutions.com/
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
	rv:5.0) Gecko/20110706 Thunderbird/5.0
MIME-Version: 1.0
To: Ilya Bakulin <webmaster@kibab.com>
References: <4E167C94.70300@kibab.com> <iv6ss5$1h5$1@dough.gmane.org>
	<4E186B89.8080003@FreeBSD.org> <4E18D88B.4060805@FreeBSD.org>
	<f4fefa42cac889f8e8726cededf32c14.squirrel@zugang.kibab.com>
In-Reply-To: <f4fefa42cac889f8e8726cededf32c14.squirrel@zugang.kibab.com>
X-Enigmail-Version: 1.2pre
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-hackers@freebsd.org
Subject: Re: Capsicum project: Ideas needed
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2011 00:44:15 -0000

On 07/11/2011 05:08, Ilya Bakulin wrote:
> chroot constraints only filesystem namespace, but doesn't prevent process
> from sending/receiving data via network,

... which is kind of important for DNS software. :)

> or from accessing other global
> namespaces such as PID namespace, SHM namespace, and from executing any
> system calls.

Fair enough, although I'd love to see an actual threat analysis before I
concluded that BIND should be close to the top of the list.


Thanks for the response,

Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/