Shared libraries loaded after chroot

Marc Haber mh+bind-users at
Tue May 17 05:18:40 UTC 2016

On Mon, May 16, 2016 at 08:51:41PM -0400, Paul Kosinski wrote:
> I have avoided the problem chroot causes in a fairly general fashion by
> using "mount --bind". For example:
>   /bin/mount --bind /lib /chroot/dns/lib
> will make the entire /lib directory available to the chrooted BIND,
> assuming the path /chroot/dns is created beforehand to serve as the
> chroot base for running BIND.

This is a wrong and dangerous "fix" since it exposes the parent
system's /lib to the chroot. Preventing this exposure is the reason
for chroot in the first place.

> I have heard that chroot does not provide unbreakable isolation, and,
> of course, many extra files are made available to the chrooted process
> compared to copying the minimum number of individual files.

This is much worse than copying the minimum number of individual files
since it allows the chrooted root account to _directly_ _change_ the
files of the parent system. You can run unchrooted without much more


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

More information about the bind-users mailing list