My point is that you CAN change SCSI simply by echoing things into one
of the adapter instances under /proc/scsi in Linux - I've done it many
times. That isn't the only thing that can be echoed into /proc to
change things - just the first one that comes to mind. By mounting
/proc in your chroot environment without doing it in read only mode
you've opened the door to anything that could be done in the real /proc.

Obviously permissions, users etc... in chroot can limit this for the
script kiddies but again the point in chroot is to contain damage in the
even the chroot environment IS compromised. Allowing access to key
areas of the base operating system such as /proc would seem to
invalidate that containment ideal.

-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
Behalf Of Matus UHLAR - fantomas
Sent: Tuesday, April 01, 2008 11:33 AM
To: bind-users@isc.org
Subject: Re: Number of CPUs detected by Bind 9.4.2 on 4 CPU system
running RedHat es 4.

On 01.04.08 11:20, Jeff Lightner wrote:
> I'm sorry but doesn't this risk someone getting into your chroot
> environment and changing your SCSI setup or other things which is done
> by echoing things into /proc/scsi/...? If it's really required should
> it be a read only mount? The whole point of chroot is to limit what
> can be accessed if the chroot environment is compromised. Giving

direct
> access to something like /proc seems counterintuitive to me.


I'm not sure if chrooted/vservered process can modify SCSI settings
(shouldn't imho) but it's better in this case to call named with "-n 4"
or
whatever your number of CPUs/cores is.

the answer for OP here is, that the named will (hopefully) use all CPU's
in
the system. The problem only comes from inability to detect the number
of
CPUs, but the kernel will try to distribute load across all CPUs

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------