Imported Upstream version 1.1.0upstream/1.1.0

author: Ondřej Surý <ondrej@sury.org> 2012-08-31 16:26:55 +0200
committer: Ondřej Surý <ondrej@sury.org> 2012-08-31 16:26:55 +0200
commit: 9a7b8a090ba4fa50fc023bdea04e83602a2ad0bb (patch)
tree: c7fec3e97f0b5e116f35272799d69d802267851f /doc/security.texi
parent: 4355eafde2b6a80d2b8feaba30b6a884aff070d9 (diff)
download: knot-9a7b8a090ba4fa50fc023bdea04e83602a2ad0bb.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/doc/security.texi b/doc/security.texi
new file mode 100755
index 0000000..3716521
--- /dev/null
+++ b/doc/security.texi
@@ -0,0 +1,15 @@
+@node Security Considerations, Troubleshooting, Running Knot DNS, Top
+@chapter Security Considerations
+
+[TODO]
+- faces the internet
+
+If libcap-ng is available, Knot DNS on Linux takes advantage of
+the POSIX 1003.1e capabilities. This mechanism breaks the a set of privileges
+traditionally associated with the root into groups that can be set per-thread
+and independently enabled or disabled. For more information, look up manual page
+for capabilities(7).
+
+Knot DNS uses strips exposed threads of most capabilities like file access,
+privileged socket operations and such.
+This mitigates potential remote exploits or at least the impact.
author	Ondřej Surý <ondrej@sury.org>	2012-08-31 16:26:55 +0200
committer	Ondřej Surý <ondrej@sury.org>	2012-08-31 16:26:55 +0200
commit	9a7b8a090ba4fa50fc023bdea04e83602a2ad0bb (patch)
tree	c7fec3e97f0b5e116f35272799d69d802267851f /doc/security.texi
parent	4355eafde2b6a80d2b8feaba30b6a884aff070d9 (diff)
download	knot-9a7b8a090ba4fa50fc023bdea04e83602a2ad0bb.tar.gz