chrooting bind

Kevin Darcy kcd at daimlerchrysler.com
Thu Aug 16 20:46:40 UTC 2001 

No, if you "externally" chroot named, then you need all of the device nodes and
libraries. If you use "-t", named can dynamically link to libraries, open
devices, etc. before it actually issues chroot(). So you don't need nearly as
much in the chroot jail.


- Kevin

Christopher L. Barnard wrote:

> Maybe I am missing something here, but according to the bind9ARM, using the -t
> flag to bind still requires you to set up a sandbox just as if you were going
> to chroot the binary:
>
> ----8<----
> 7.2. chroot and setuid (for UNIX servers)
>
> On UNIX servers, it is possible to run BIND in a chrooted environment
> (chroot()) by specifying the "-t" option. This can help improve system
> security by placing BIND in a "sandbox," which will limit the damage done if a
> server is compromised.
>
> [...]
>
> Here is an example command line to load BIND in a chroot() sandbox,
> /var/named, and to run named setuid to user 202:
>
> /usr/local/bin/named -u 202 -t /var/named
>
> 7.2.1. The chroot Environment
>
> In order for a chroot() environment to work properly in a particular directory
> (for example, /var/named), you will need to set up an environment that
> includes everything BIND needs to run. From BIND's point of view, /var/named
> is the root of the filesystem. You will need /dev/null, and any library
> directories and files that BIND needs to run on your system. Please consult
> your operating system's instructions if you need help figuring out which
> library files you need to copy over to the chroot() sandbox.
>
> -----8<-----
>
> So if the -t option to named requires you to set up the same jail as using
> chroot manually, it looks like the only difference is where the actual named
> binary sits...
>
> Christopher
> +-----------------------------------------------------------------------+
> | Christopher L. Barnard         O     When I was a boy I was told that |
> | cbarnard at tsg.cbot.com         / \    anybody could become president.  |
> | (312) 347-4901               O---O   Now I'm beginning to believe it. |
> | http://www.cs.uchicago.edu/~cbarnard                --Clarence Darrow |
> +----------PGP public key available via finger or PGP keyserver---------+

More information about the bind-users mailing list