[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#31894] Containerize openntpd service

From: Ludovic Courtès
Subject: [bug#31894] Containerize openntpd service
Date: Tue, 26 Jun 2018 15:48:34 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

Efraim Flashner <address@hidden> skribis:

> On Fri, Jun 22, 2018 at 09:39:01PM +0200, Ludovic Courtès wrote:


>> One thing though: could you make sure containerization isn’t redundant
>> with what OpenNTPD already does?  Namely, could you grep the source for
>> calls to “chroot”, “unshare”, or “seccomp”?  If it happens to be already
>> doing one of these things, it may be that using a container brings
>> little or nothing.
>> If it’s OK, please push!
> From grepping the source:
> ./INSTALL-OpenNTPD always uses Privilege Separation (ie the majority of the
> ./INSTALL:processing is done as a chroot'ed, unprivileged user).
> The code also supports the assertion.
> it defaults to /var/empty, unless the --with-privsep-path=path flag is
> set, so it looks like my patch is unnecessary after all. :)

Heh, alright.  Perhaps you’ll find another candidate for
containerization.  ;-)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]