chroot?

[Glenn Satchell]

>Date: Wed, 17 Jan 2007 07:26:47 -0800 (PST)
>From: "Luc T." <taoh666 at yahoo.com>
>Subject: chroot?
>To: dhcp-users at isc.org
>
>I am running dhcpd as
>  /usr/sbin/dhcpd -user dhcpd -group nogroup eth0
>  in a production enviromnet.
>   
>  I did not run it with chroot.
>   
>  my question is if I should run dhcpd with chroot in a production enviroment. 
what is the disadvantages if I do not run with chroot? 
>   
>  in addition, what if I run as root, rather than dhcpd? which way is better?
>   
>  thanks!
>
Hi Luc

-user, -group and -chroot were options added by one of the Linux or BSD
distros (I forget which one, but it's at least the one you're using :).
They are not part of the standard ISC dhcpd distribution. So the vast
majority of users, who use the standard ISC dhcpd, run the process as
root and do not use have any chroot functionality. In my experience
this has never been the cause of any operational problems.

The logic behind running as a non-root user in a chroot environment is
that this is more secure because you are running with less priviledges.
If a compromise was found then access would be as the lower priviledged
user and in a chroot environment so you couldn't access any otherparts
of the system.

You need to work out whether any of these security implications matter
to you. If you are running dhcpd in a closed netwrok then this may not
matter as much as if you were providing dhcp services across the
internet for example.

regards,
-glenn