Shared libraries loaded after chroot

Marc Haber mh+bind-users at zugschlus.de
Mon May 16 08:38:39 UTC 2016


Hi,

in Debian, the bind9 packages have recently started to trouble me in
chrooted environments since some cryptographic libraries are loaded
after bind has chrooted itself, which results - in the case of a
minimal chroot - in a fatal run-time error:

May 14 21:57:17 fan named[28066]: starting BIND 9.10.3-P4-Debian <id:ebd72b3> -f -u bind -t /var/local
/chroot/bind
May 14 21:57:17 fan named[28066]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/
lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--
localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-
static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
 '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/li
b/x86_64-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Wer
ror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-
fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE'
May 14 21:57:17 fan named[28066]: ----------------------------------------------------
May 14 21:57:17 fan named[28066]: BIND 9 is maintained by Internet Systems Consortium,
May 14 21:57:17 fan named[28066]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
May 14 21:57:17 fan named[28066]: corporation.  Support and training for BIND 9 are
May 14 21:57:17 fan named[28066]: available at https://www.isc.org/support
May 14 21:57:17 fan named[28066]: ----------------------------------------------------
May 14 21:57:17 fan named[28066]: adjusted limit on open files from 4096 to 1048576
May 14 21:57:17 fan named[28066]: found 6 CPUs, using 6 worker threads
May 14 21:57:17 fan named[28066]: using 3 UDP listeners per interface
May 14 21:57:17 fan named[28066]: using up to 4096 sockets
May 14 21:57:17 fan named[28066]: ENGINE_by_id failed (crypto failure)
May 14 21:57:17 fan named[28066]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
May 14 21:57:17 fan named[28066]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
May 14 21:57:17 fan named[28066]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
May 14 21:57:17 fan named[28066]: initializing DST: crypto failure
May 14 21:57:17 fan named[28066]: exiting (due to fatal error)

I have filed Debian Bug #820974 (http://bugs.debian.org/820974)
accordingly. The Debian bind people suggest that I copy the respective
libraries to the chroot so that bind can find them.

This, however, would take possibly security relevant libraries from
the automated update mechanisms of the distributions, and would
therefore greatly reduce ease of upgrades. It is also not mentioned in
Chapter 6 of the ARM.

What is the official upstream remedy to this situation?

Frankly, I think this is a bug in bind 9.10, it should load all
necessary libraries before chrooting itself. I am aware that this
would probably need parsing of the configuration before chrooting.

What is the recommended way to run bind 9.10 in a chroot?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421


More information about the bind-users mailing list