Sam Couter <[EMAIL PROTECTED]> writes: > Because the files accessed from within the chroot once it's broken are the > SAME FILES as on the real system.
We're not discussing running two binds on a system, one in a chroot and one not. (Although I think I understand your concern now.) We're discussing running exactly one bind in a chroot, so that if bind is exploited, the damage is minimized. Then, for ease of maintenance, we're discussing symlinking /etc/bind to /wherever/chroot/etc/bind, so you can edit the configuration files as if they were in etc. We're on the same page so far, right? Your concern seems to be that an attacker would break the bind within the chroot and edit the configuration files. If the files were copied from a file outside the chroot (and thus out of their realm to modify), you think this would add security, right? It would add as much security to have but one copy of those files modifiable only by root, read-only by anyone else (ie, the bind process in the chroot). Then, unless the attacker managed to get root from bind, they can't modify the files... and if they could get root from bind, they can break the chroot anyway. (man 2 chroot) -- Alan Shutko <[EMAIL PROTECTED]> - In a variety of flavors! If *I* had a hammer, there'd be no more folk singers.