End of bind-chroot-admin script

[Enrico Scholz]

Alan Cox <alan at redhat.com> writes:

> Its also inadequate for some forms of attack. If I can persuade your
> named to run code of my choice in a chroot without selinux then I can
> still use your box as a spam machine, botnet host, DoS attack tool,
> proxy, etc .. all without breaking the chroot.

Can be prevented with traditional tools too:

iptables -A OUTPUT -m owner --uid-owner named -j o-NAMED




Enrico