Re: Beta1: FeatureRequest

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Sun, 6 Nov 2011 18:08:08 -0800 (PST)

On Sun, 6 Nov 2011, Andreas Schulze wrote:
> I just playing with the chroot Feature. I looks to me like the chroot
> directory could not be empty. I need a syslog socket, and at least some
> libraries and files for switching uids.
>
> In fact I still have a script "update-opendkim-chroot". It should be
> called at every opendkim-start.
>
> Maybe there could be a config-item "PreChrootScript" Opendkim execs this
> script just before chroot and exits if the script fail.

Off the top of my head, I'm uneasy about this. I think opendkim executing
something else as root is a little dangerous.

Isn't this the same as having a script you run that builds the chroot and
then executes opendkim configured to run inside it? That way we don't
have to add another feature or take over maintenance of something
that's basically outside of our control.

I think I might be comfortable with a new configuration parameter that
gives a list of files that have to exist, and maybe corresponding
permissions, that it will check after calling chroot() but before starting
normal operations.

What do other chroot-aware packages do with respect to this kind of thing?

-MSK
Received on Mon Nov 07 2011 - 02:08:24 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:33:13 PST