Chrooting BIND

Adam Lang aalang at rutgersinsurance.com
Mon Jun 4 15:25:45 UTC 2001 

Since we are getting 3 questions a week on the chrooting and the compiling,
should someone post a FAQ or something about it on the ISC-BIND site?  This
way when the multitudes of people keep asking, we can just say "read the
faq"?

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Bill Larson" <wllarso at swcp.com>
To: "Hugo F. Martinez" <hmartinez at cti.com.ar>
Cc: <kerry.liles at softwarespectrum.com>; <bind-users at isc.org>
Sent: Monday, June 04, 2001 9:38 AM
Subject: Re: Chrooting BIND


>
> The original response was slightly misleading, but the request was very
> correct.  It is very useful to know what platform you are running on.
>
> Now, it is never necessarfy to recompile a software application to run
> in a chroot operation.  Chroot only requires that the environment be
> correctly configured - access to other executables that will be run
> (such as named-xfer), access to the files to be read (/etc/named.conf
> and any master zone files), the ability to write needed files (slave
> zone files and log file, if needed), and the ability to write to syslog
> if necessary.  This may require that copies of shared libraries be
> available, and pared down /etc/passwd and /etc/group files to control
> execution of additional programs.
>
> As long as these requirements are met, there is no requirement to
> require any application for chroot execution.  You may want to
> recompile to provide a better set of path names for the chroot
> environment, but most of this can be set explicitly in
> /etc/named.conf.  I don't recommend assuming that compiled in default
> paths are correct.  Explicitly specify the directory paths in the
> /etc/named.conf file for any files needed by named.
>
> Follow-up question: With BIND-9 that does not have a separate
> named-xfer, there should be no need to copy shared libraries since no
> additional ececutables are run, but is it still necessary to have a
> pared down /etc/passwd file in the chroot environment?

More information about the bind-users mailing list