chroot BIND 8.2.2p5

[Dave Lugo]

Michael Bryan wrote:
> 
> philip.wolfe at quintiles.com wrote:
> >
> > Hello,
> >
> > Could someone point me in the direction to some decent documentation on setting
> > up BIND 8.2.2p5 as chroot unprivileged user.
> 
> A couple of useful links are:
> 
>     http://www.etherboy.com/dns/chrootdns.html
>         (Geared towards dual DNS on Redhat)
> 

> Neither one is 100% complete, there are gotchas such as handling the
> ndc control pipe that also have to be worked out for a chroot environment,
> and making sure named has write access to the location where it puts
> its named.pid file.  But they both have good info, and are worth
> reading.

Actually, I think the etherboy info (which I wrote) does all the above. 
I have all the reload and reconfig stuff as callable options to the init
script, not as a rewritten ndc utility. Is there something I missed? 

> 
> Keep in mind that you will lose some functionality in BIND with
> a chroot/nonpriv environment.  The biggest is probably that BIND
> will not be able to scan for new IP addresses on interfaces to open
> up a socket on port 53, since only root can bind to port 53.  Also,
> the "ndc restart" function will likely not work, since the new
> named process will not even start as root, and therefore will not
> be able to bind to port 53 on any address.  If your IP addresses
> are stable, named doesn't really need to scan for changed addresses
> anyway.  Also, you can replace "ndc restart" with a custom script
> to do a full restart.  Just a little work, but it's still more than
> a basic no-brainer operation.

You're correct about the above :)  The init script I provide has a
"restart"
 option that can be used.

Regards,

Dave 

-- 
--------------------------------------------------------
Dave Lugo   dlugo at etherboy.com    LC Unit #260   TINLC
Have you hugged your firewall today?   No spam, thanks.
--------------------------------------------------------
Are you the police?  . . . .  No ma'am, we're sysadmins.