chroot query

[Simon Waters]

david doherty wrote:
> 
> Are there any benefits or disadvantages to using bind's chroot
> environment rather than the solaris chroot environment ?

The main benefit on BIND chroot is you don't need to create a
complex jail, you just need data files that BIND uses whilst
running, and /dev/random in some configurations.

Most of the "complexity" of the normal chroot environment is for
the benefit of forking another process, but BIND 9 doesn't do
this, where as BIND 8 did it for zone transfer.

I haven't seen any detailed analysis of whether the BIND 9
approach is less secure, it is obviously more dependant on the
code doing the right thing, so in that sense it must be slightly
less secure (assuming your chroot jail creation is always
perfect).

When I looked at the code for 9.2.1 I saw some things that could
have been done after privileges were dropped being done before
they were dropped, but nothing that I would expect to be
security sensitive, but I'm not very experienced in security
auditing of C code.

I'm happy to go with the BIND 9 chroot, as for most systems I
deal with the compromise of the DNS process and data itself is
almost as severe as a root compromise of the DNS server, in such
environments chrooting doesn't justify major effort. Similarly
other security mechanisms might better restrict the damage a
compromise will do.