BIND8, BIND9 static compilation problems
Kevin Darcy
kcd at daimlerchrysler.com
Wed Oct 15 22:08:43 UTC 2003
Ivan Ivanovic wrote:
>Quoting Mark.Andrews at isc.org:
>
>
>
>>The names service switch library (required for looking up the
>>password) requires routines that are part of the C library and
>>are not already linked into the executable.
>>
>>
>
>then, what is the point of creating static binary when it's not
>functional in production env.? No wonder BIND (ISC) software hit's
>first place at SANS "The Twenty Most Critical Internet Security
>Vulnerabilities" http://www.sans.org/top20/#u1
>when you have this aproach to security measures.
>
>
>
>>Now why are you starting named using chroot(8) rather than using
>>-t which executes chroot(2) at the right point i.e. *after*
>>the NSS library is loaded. Note named-xfer doesn't require NSS.
>>
>>
>
>first, i don't have any libs on production system,
>
Hold on there. Please clarify. Do you claim to have no libraries at all,
anywhere on your production system? Or did you just mean you have no
libraries in the chroot jail on your production system. If chroot'ed
properly, BIND 9 shouldn't need any libraries in the chroot jail. But if
you mean you don't have any libraries at all anywhere on your production
system, then that's highly unusual and you can't really expect BIND to
support such a weirdo setup "out of the box"...
- Kevin
More information about the bind-users
mailing list