I find around this set of patches for djbdns that can be usefull (NOT tested). :)
Created attachment 7713 [details] set of patches that i find around... :)
Created attachment 9590 [details, diff] fixes a little bug for grsecurity-enabled kernels that don't allow fchrooting out of already established chroot. I found this when trying to use djbdns on grsecurity-enabled 2.4.19 kernel. The service failed constantly saying it couldn't get to some file. straceing it showed that kernel doesn't allow some djb trick with fchroot, so i fixed it a bit. I DO NOT KNOW HOW EXACTLY THIS CAN AFFECT OVERALL DJBDNS SECURITY, AND THEREFORE I AM NOT LIABLE FOR ANY CONSEQUENCES OF USING THIS PATCH. Iow: You're on your own.
also watch bug #19375
Most of the patches in the set of patches (attachment #1 [details]) have been discussed on the dns@list.cr.yp.to list, and pretty much everyone agrees they are not only not useful, but even contradict with the design of djbdns.
This is bad. Who is in charge here?
Please ignore my previous post
When you say grsecurity will complain, do you mean it will not work with djbdns at all or it produces just a cosmetic error? If the former, I will add this patch with a grsecurity use flag, if the latter I will not add this patch.
Jared, I ask you to please NOT add a grsecurity USE flag for this one special case of dealing with optional fchroot behaviors. My guess is it's a security risk and I don't want users to assocate grsecurity with the need to relax security. Please either take the patch as is all together or talk to djb and see if the proposed patch is ok.