chroot BIND 8.2.2p5
Dave Lugo
dlugo at etherboy.com
Sun Jun 11 01:34:55 UTC 2000
Michael Bryan wrote:
>
> philip.wolfe at quintiles.com wrote:
> >
> > Hello,
> >
> > Could someone point me in the direction to some decent documentation on setting
> > up BIND 8.2.2p5 as chroot unprivileged user.
>
> A couple of useful links are:
>
> http://www.etherboy.com/dns/chrootdns.html
> (Geared towards dual DNS on Redhat)
>
> Neither one is 100% complete, there are gotchas such as handling the
> ndc control pipe that also have to be worked out for a chroot environment,
> and making sure named has write access to the location where it puts
> its named.pid file. But they both have good info, and are worth
> reading.
Actually, I think the etherboy info (which I wrote) does all the above.
I have all the reload and reconfig stuff as callable options to the init
script, not as a rewritten ndc utility. Is there something I missed?
>
> Keep in mind that you will lose some functionality in BIND with
> a chroot/nonpriv environment. The biggest is probably that BIND
> will not be able to scan for new IP addresses on interfaces to open
> up a socket on port 53, since only root can bind to port 53. Also,
> the "ndc restart" function will likely not work, since the new
> named process will not even start as root, and therefore will not
> be able to bind to port 53 on any address. If your IP addresses
> are stable, named doesn't really need to scan for changed addresses
> anyway. Also, you can replace "ndc restart" with a custom script
> to do a full restart. Just a little work, but it's still more than
> a basic no-brainer operation.
You're correct about the above :) The init script I provide has a
"restart"
option that can be used.
Regards,
Dave
--
--------------------------------------------------------
Dave Lugo dlugo at etherboy.com LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.
More information about the bind-users
mailing list