| [0] http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-chroot | | There are tools in Debian however, that make it easier to set up | chroots, such as jailer or jailtool.
you have to separate between packages setting up chroot environments for eg bind or apache, and on the other hand privsep-like things where daemons just chroot to empty or near-empty directory with no additional administrative hassle. the latter is infact done by eg postfix and sshd in debian... and radvd would, i think, be in the latter category as well.
bear in mind that the howto referenced above is not any sort of normative policy spec :)
Yes, I think for the most part, radvd could be in chroot jail.
But there are a couple of issues which might be a bit tricky. In particular, radvd re-reads the configuration file upon HUP. So, I guess that would mean that the config file would have to be moved to the chroot? The pid file would also have to be there, I guess.
A copy of /proc and a couple of /dev/ files are probably easier to arrange.
But I guess patches would be considered. This is something that cannot be done in the generic fashion upstream I think, so it would have to be done in Debian packages. I might end up doing it in the redhat.spec if you do the dirty work and show how these could be automated in a reasonable manner ;-).
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
