'succesful' nsupdate of remote server not persistent across nameserver restart?
Tony Finch
dot at dotat.at
Wed Apr 27 10:07:53 UTC 2016
Matthew Pounsett <matt at conundrum.com> wrote:
>
> Privsep doesn't actually fix the same problem chroot does. As I
> understand it, privsep reduces the attack surface for remote execution
> exploits by shuffling off privileged operations to a separate process, but
> if that process isn't chrooted and it has a remote code execution flaw then
> your entire system is opened up to attack.
Actually it is normal for privsep processes to chroot themselves, usually
to /var/empty - e.g.
https://github.com/openssh/openssh-portable/blob/master/sshd.c#l642
https://github.com/openntpd-portable/openntpd-openbsd/blob/master/src/usr.sbin/ntpd/ntp.c#l130
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Biscay: North 4 or 5. Slight or moderate. Showers. Good.
More information about the bind-users
mailing list