static compiling bind 8.2.2 P5 on linux
jim at rfc1035.com
Wed Mar 29 06:53:29 UTC 2000
>>>>> "Kevin" == Kevin Darcy <kcd at daimlerchrysler.com> writes:
Kevin> Jan Stifter wrote:
>> hello, i would like to compile bind 8.2.2 patchlevel 5 on linux
>> _statically_. if you wonder why, take a look at: Securing DNS
>> (Linux) http://www.psionic.com/papers/dns/dns-linux/
Kevin> Sorry, I have no idea how to go about statically-linking BIND.
It's usually a simple matter of adding or changing an argument to the
linker. Or giving that -Bstatic argument or whatever to the compiler to
pass to the linker.
Kevin> But, I believe it's not terribly difficult to set up
Kevin> a chroot jail with shared libraries. Perhaps you should
Kevin> consider that alternative. The only reason given on the web
Kevin> page for statically-linking, after all, is that it "makes
Kevin> setup easier"...
Well if you add the shared C library to the chroot jail, any holes in
that library become available to the processes running in the
chroot'ed environment. [Think gets().] And you usually have to add a
bunch of other files so that the shared library can be mmap()ed into
the chroot'ed processes. This is a pain and theoretically makes things
less secure. The more files that get put in the chroot jail, the
higher the chances that you introduce something that has or causes a
security hole. A minimal environment should be provided in a chroot
jail. Providing shared libraries there can be a step too far.
More information about the bind-users