chrooting bind
Barry Margolin
barmar at genuity.net
Thu Aug 16 17:39:31 UTC 2001
In article <9lgvno$da2 at pub3.rc.vix.com>,
Christopher L. Barnard <cbar44 at tsg.cbot.com> wrote:
>Maybe I am missing something here, but according to the bind9ARM, using the -t
>flag to bind still requires you to set up a sandbox just as if you were going
>to chroot the binary:
I think the part about libraries may not be necessary in BIND 9. In BIND 8
it was necessary because named-xfer was a separate program. Since it was
spawned from within the chroot jail, it would look for shared libraries in
there.
In BIND 9 zone transfers are handled by threads in the named process. The
OS performs dynamic linking of the named process before command line
arguments are processed, so obviously this happens outside the -t jail.
--
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list