Should bind 9 be installed in chrooted environment?
Simon Waters
Simon at wretched.demon.co.uk
Sat Dec 22 19:16:39 UTC 2001
Angelina Paunovic wrote:
>
> To avoid this problem in the future, I am thinking to install bind out
> of chrooted environment.
BIND 9 has an option to "chroot" the executable after it starts
"-t dirname".
This is the simple way to chroot BIND 9. You do not need any
system files in the "-t" directory for most uses of BIND. You
must ensure that the system files required to provide entropy
for random number generation are available for DNSSEC use,
usally this means making a chrooted /dev/random.
In order for chroot to be effective the process must run as an
unprivileged user.
> But the security issue comes. Is bind 9 more secure in chrooted
Yes. How the "-t" chroot compares with the traditional approach
to chrooting, I've not seen discussed. The "-t" approach
presumably allows room for the software developers to accidently
compromise the chroot jail in the code, unlike the traditional
approach.
More information about the bind-users
mailing list