bind-9 and static

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Thu Sep 21 00:55:39 UTC 2000


> 
> 
> > 	What benefit is there in running it as static?
> 
> An attempt to limit the exposure and number of available avenues for
> further damage.

	Named is not a suid exectable, it is not designed as a suid
	executable.  It is however designed to be started by root
	and optionally change to running as a different user.

	Linking statically actually exposes you to more risk rather
	than less as you don't pick up bug fixes to libraries as
	easily.

> 
> > 	There was a marginal setup benefit with BIND8 and running chroot
> > 	but BIND 9 no longer has a named-xfer hence no benefit.
> 
> I'm not sure I understand. So the named binary is itself doing the zone
> transfer, but I'm not sure how that's really different than it was
> before...

	Then you don't understand why people wanted named (or more
	particularly named-xfer) linked statically for chroot in the
	first place.

> 
> > 	CFLAGS="..." ./configure
> 
> This didn't work. It seems to arbitrarily ignore the -static but keeps the
> -O2 but ignores the -static on all binaries.
> 
> Thanks again,
> Dave
	
	Run the following and post the results.

	script
	make distclean
	env CFLAGS="-O2 -static" ./configure
	make depend
	make
	file bin/nsupdate/nsupdate
	exit

	Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com



More information about the bind-users mailing list