Using the dhcp paranoia patch, (http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch) the dhcp server can be made much more secure by chrooting and dropping root priveleges. These restrictions are optional and only take effect when activated on the command line. The chroot environment is similart to that of bind. Please take a look at the ebuild on the posted URL (and also the modified startup script and its config counterpart). Other fixes include a cleaned up src_install() procedure, a define for the location of user man directory, and other misc things.
Max, Very cool addition. We have been kicking around the idea of adding a "chroot" use flag in the hardened herd. This seems like a good candidate to take advantage of the potential flag.. perhaps something like "use chroot && pkg_config" could be put in the pkg_postinst()
(taking this on) Hi Ned! Is this something bind currently does? (use chroot && pkg_config). Also I don't see chroot in /usr/portage/use{.local,}.desc. Is this a planned addition?
Max, No at this point gentoo has no "chroot" use flag. Also bind requires us to post configure it if we wish to have it running in a chrooted enviroment. If this package can make use of one then by all means please be the first to add it. I know if one exists, people will be more motivated to include support for chrooting apps. Another such app that can be chrooted rather easy would be "snmpd"
This is in portage now.
