On Tue, Apr 01, 2008 at 11:20:50AM -0400, Jeff Lightner wrote:
> I'm sorry but doesn't this risk someone getting into your chroot
> environment and changing your SCSI setup or other things which is done
> by echoing things into /proc/scsi/...? If it's really required should
> it be a read only mount? The whole point of chroot is to limit what
> can be accessed if the chroot environment is compromised. Giving direct
> access to something like /proc seems counterintuitive to me.
> I feel I'm missing something important here.

You're right. It should be mounted read-only. But if named runs under
non-root user it is not needed because only root can change /proc
values (but as you wrote read-only is more secure).


Adam Tkac, Red Hat, Inc.