From: Christian Axelsson <smiler@lanil.mine.nu>
To: Matt Rickard <frogger@gentoo.org>
Cc: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] chroot USE flag?
Date: 18 Jul 2003 03:25:58 +0200 [thread overview]
Message-ID: <1058491558.12850.31.camel@sm-wks1.lan.irkk.nu> (raw)
In-Reply-To: <20030717204920.5afc6e5f.frogger@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 1993 bytes --]
On Fri, 2003-07-18 at 02:49, Matt Rickard wrote:
> On 18 Jul 2003 01:15:00 -0400
> Brandon Hale <brandon@comp-u-tek.com> wrote:
> > I propose a new USE flag for a few key services that would install the
> > package in a chroot "out of the box." This idea was inspired by a
> > conversation between Greg Fitzgerald (gregf) and myself on applying
> > ideas from OpenBSD to Gentoo. Another source of inspiration is the
> > excelent pkg_config code in the latest bind9 ebuilds. I further
> > discussed this idea w/ memebers of the gentoo-hardened team and
> > further crystalized the workings of such a flag. I would propose that
> > the ebuild include two conditional install proceedures keyed on the
> > chroot USE flag. The only possible problem I forsee is building
> > devices inside the sandbox, which could be accomplished in
> > pkg_postinstall as a last resort. I would be happy for any feedback or
> > further development of this idea.
>
> I think this is a good idea. A chroot USE flag would allow daemons to
> be chrooted transparently without users having to manually ebuild
> config. Chroot building could be done in the sandbox, and as Brandon
> mentioned, we could create the device files with pkg_postinst. These
> could be removed with pkg_postrm explicitly.
>
> Eventually I would like to see this USE flag apply to more daemons than
> just bind. I don't know which other packages in portage currently have
> chrooting options (anyone help me out here?), but I'd at least like to
> see this for ntpd and apache to start.
PowerDNS is another, apache can run chrooted (but you loose a few
features, but on a production server those shouldnt be very important).
I bet there are many we-run-as-root servers out there that fairly easy
can be chrooted (actually in theory you can chroot almost all services).
I propose yes to this aswell.
--
Christan Axelsson
smiler@lanil.mine.nu
GPG key ID
6C3C55D9 @ ldap://keyserver.pgp.com
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2003-07-18 1:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-18 5:15 [gentoo-dev] chroot USE flag? Brandon Hale
2003-07-17 12:52 ` Alvaro Figueroa Cabezas
2003-07-18 6:44 ` Brandon Hale
2003-07-18 6:54 ` Brandon Hale
2003-07-18 3:08 ` Ned Ludd
2003-07-18 6:43 ` Toby Dickenson
2003-07-18 2:08 ` Alvaro Figueroa Cabezas
2003-07-18 0:49 ` Matt Rickard
2003-07-18 1:25 ` Christian Axelsson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1058491558.12850.31.camel@sm-wks1.lan.irkk.nu \
--to=smiler@lanil.mine.nu \
--cc=frogger@gentoo.org \
--cc=gentoo-dev@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox