[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#31894] Containerize openntpd service
From: |
Ludovic Courtès |
Subject: |
[bug#31894] Containerize openntpd service |
Date: |
Tue, 26 Jun 2018 15:48:34 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Efraim Flashner <address@hidden> skribis:
> On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Courtès wrote:
[...]
>> One thing though: could you make sure containerization isn’t redundant
>> with what OpenNTPD already does? Namely, could you grep the source for
>> calls to “chroot”, “unshare”, or “seccomp”? If it happens to be already
>> doing one of these things, it may be that using a container brings
>> little or nothing.
>>
>> If it’s OK, please push!
>
> From grepping the source:
>
> ./INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of the
> ./INSTALL:processing is done as a chroot'ed, unprivileged user).
>
> The code also supports the assertion.
>
> it defaults to /var/empty, unless the --with-privsep-path=path flag is
> set, so it looks like my patch is unnecessary after all. :)
Heh, alright. Perhaps you’ll find another candidate for
containerization. ;-)
Thanks,
Ludo’.