public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: Christian Axelsson <smiler@lanil.mine.nu>
To: Matt Rickard <frogger@gentoo.org>
Cc: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] chroot USE flag?
Date: 18 Jul 2003 03:25:58 +0200	[thread overview]
Message-ID: <1058491558.12850.31.camel@sm-wks1.lan.irkk.nu> (raw)
In-Reply-To: <20030717204920.5afc6e5f.frogger@gentoo.org>

[-- Attachment #1: Type: text/plain, Size: 1993 bytes --]

On Fri, 2003-07-18 at 02:49, Matt Rickard wrote:
> On 18 Jul 2003 01:15:00 -0400
> Brandon Hale <brandon@comp-u-tek.com> wrote:
> > I propose a new USE flag for a few key services that would install the
> > package in a chroot "out of the box." This idea was inspired by a
> > conversation between Greg Fitzgerald (gregf) and myself on applying
> > ideas from OpenBSD to Gentoo. Another source of inspiration is the
> > excelent pkg_config code in the latest bind9 ebuilds. I further
> > discussed this idea w/ memebers of the gentoo-hardened team and
> > further crystalized the workings of such a flag. I would propose that
> > the ebuild include two conditional install proceedures keyed on the
> > chroot USE flag. The only possible problem I forsee is building
> > devices inside the sandbox, which could be accomplished in
> > pkg_postinstall as a last resort. I would be happy for any feedback or
> > further development of this idea.
> 
> I think this is a good idea.  A chroot USE flag would allow daemons to
> be chrooted transparently without users having to manually ebuild
> config.  Chroot building could be done in the sandbox, and as Brandon
> mentioned, we could create the device files with pkg_postinst.  These
> could be removed with pkg_postrm explicitly.
> 
> Eventually I would like to see this USE flag apply to more daemons than
> just bind.  I don't know which other packages in portage currently have
> chrooting options (anyone help me out here?), but I'd at least like to
> see this for ntpd and apache to start.

PowerDNS is another, apache can run chrooted (but you loose a few
features, but on a production server those shouldnt be very important).
I bet there are many we-run-as-root servers out there that fairly easy
can be chrooted (actually in theory you can chroot almost all services).

I propose yes to this aswell.

-- 
Christan Axelsson 
  smiler@lanil.mine.nu

GPG key ID
  6C3C55D9 @ ldap://keyserver.pgp.com

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

      reply	other threads:[~2003-07-18  1:41 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-07-18  5:15 [gentoo-dev] chroot USE flag? Brandon Hale
2003-07-17 12:52 ` Alvaro Figueroa Cabezas
2003-07-18  6:44   ` Brandon Hale
2003-07-18  6:54   ` Brandon Hale
2003-07-18  3:08     ` Ned Ludd
2003-07-18  6:43     ` Toby Dickenson
2003-07-18  2:08       ` Alvaro Figueroa Cabezas
2003-07-18  0:49 ` Matt Rickard
2003-07-18  1:25   ` Christian Axelsson [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1058491558.12850.31.camel@sm-wks1.lan.irkk.nu \
    --to=smiler@lanil.mine.nu \
    --cc=frogger@gentoo.org \
    --cc=gentoo-dev@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox