static compiling bind 8.2.2 P5 on linux

Jim Reid jim at rfc1035.com
Wed Mar 29 06:53:29 UTC 2000


>>>>> "Kevin" == Kevin Darcy <kcd at daimlerchrysler.com> writes:

    Kevin> Jan Stifter wrote:
    >> hello, i would like to compile bind 8.2.2 patchlevel 5 on linux
    >> _statically_.  if you wonder why, take a look at: Securing DNS
    >> (Linux) http://www.psionic.com/papers/dns/dns-linux/

    Kevin> Sorry, I have no idea how to go about statically-linking BIND.

It's usually a simple matter of adding or changing an argument to the
linker. Or giving that -Bstatic argument or whatever to the compiler to
pass to the linker.

    Kevin> But, I believe it's not terribly difficult to set up
    Kevin> a chroot jail with shared libraries. Perhaps you should
    Kevin> consider that alternative. The only reason given on the web
    Kevin> page for statically-linking, after all, is that it "makes
    Kevin> setup easier"...

Well if you add the shared C library to the chroot jail, any holes in
that library become available to the processes running in the
chroot'ed environment. [Think gets().] And you usually have to add a
bunch of other files so that the shared library can be mmap()ed into
the chroot'ed processes. This is a pain and theoretically makes things
less secure. The more files that get put in the chroot jail, the
higher the chances that you introduce something that has or causes a
security hole. A minimal environment should be provided in a chroot
jail. Providing shared libraries there can be a step too far.



More information about the bind-users mailing list